LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

File Inclusions

1 year ago 70
BOOK THIS SPACE FOR AD
ARTICLE AD
Credit: D3Damon

Hey folks, Today we are going to talk about the another basic vector called File inclusions. For the purpose of exploiting file inclusion vulnerabilities in an application first we need to understand what is file inclusion and how it occurs on an application. So that we can find and exploit these type of vulnerabilities easily. So what is file inclusion vulnerability in an application and how it helps to get a shell on the system. Apart from that we need to aware that this type of vulnerability serve high to critical severity in the wild.

In simple terms file inclusion is a type of feature available in programming language like PHP based applications where the file is included on the application for the purpose of application’s functionality. Let’s say for an example: “ The endpoint allows to add the user.php page as a normal functionality which is a very usual behavior for the applications based on PHP. http[://]www.vulnerable.app/section/?file=user.php . The vulnerability happens when the application is not validating the URL parameter file and includes what ever user supplied data without any validation on the server side. If the application is vulnerable to this type of attack and if successfully identify the endpoints which is capable of including the user supplied data without any validations, as an attacker we can able to include any kind of data which is available on the system. For the purpose of identifying the files available on the system we need to find the file system or directory tree available on the system. Here we need a help from the directory traversal attack that we covered on our last blog . Since most of the time finding and exploiting the directory traversal and file inclusion will overlap.

There are 2 types of file inclusion vulnerabilities available in the wild and they are namely :

Local File inclusions.Remote File inclusions.

The main deference between these two is lied on the type of file that we are able to include on the vulnerable application.

For example if the application is vulnerable only to local file inclusion and we need to put our payload on the target application server in order to exploit these type of vulnerability, for example if our application is allows to upload the file without any restriction we can leverage that to upload a file containing our payload(or shell) to the system and include that file path in the vulnerable endpoint (some times applications will validate the type of file that we are uploading and most cases it will not allow the PHP codes, another type of defense is we cannot see the uploaded files exact locations). We will not give up if we find this type of vulnerability on the application. Here comes another efficient method to exploit the vulnerable application.

Another scenario is to inject our payload in the log by use of user-agent header or other techniques the idea here is many application servers will log the end user’s data such as IP, host header and user-agents header, etc. If we are able to log our payload using the this method we only need to include the server log path in the vulnerable endpoint and boom we will get the shell according to our payload. (Since operating systems will provide standardized path for those kinds of logs for eg: linux logs web logs are available in /var/ directory)

And if we got the remote file inclusion vulnerability we have the luxury to choose what ever payload that we like to include, Since it will include the external files from external URLs. Kind of cool right?

Now a days RFI vulnerabilities are less than the LFI since the application developer needs to enable the “allow_url_include” externally which means this feature is not enabled by default on newer versions of PHP.

How ever we need to identify our playground before we can play !, right? With that in mind we are starting our endpoint discovery. First we need to identify the URL endpoints that including the file name as a parameter. For a simple example is like: http[://]vulnerable[.]app/menu.php?file=index.php

What if the application developer forgot to whitelist the files that he needs to include. Then the application will allow users to include arbitrary files as they need. how ever it will only include the files with in the application server itself, since we are focusing on Local File Inclusions a.k.a LFI. As we already know the techniques to include our payload in the application. We can leverage that vulnerability in to Code Execution.

What if the application feature allows to include the URL as a parameter. For example : http[://]vulnerable.app/menu.php?file=http[://]localhost:4444/shell.php , Then we have the luxury to choose whatever payload as we like which is a kind of cool right?

I have find simple file inclusion vector in my recent test. Don’t think the developer is smart always. Beyond that they are also humans. Try to make the internet safer by wearing white-hat :)

External Materials:

Portswigger academy have decent amount of labs and tutorials to get hands wet and they also provide the cheat sheets.OWASP.org have techniques from the attacker perspective and mitigations from the developer perspective and owasp has also provide good cheat sheets.Internet is the key to external world, Search and research.

Thank you…

Read Entire Article
  3. File Inclusions

Related

How to baypass scaping filter(\)

How to baypass scaping filter(\)

How We Prevented a Mass Breach On One OF The Biggest CryptoCurrency Gateways On A Web3 Platform.

How We Prevented a Mass Breach On One OF The Biggest CryptoCurrency Gateways On A Web3 Platform.

The Ultimate Guide to CISSP’s Eight Security Territories

The Ultimate Guide to CISSP’s Eight Security Territories

Unraveling the Nuances of 403 Bypass: Strengthening Web Application Security

Unraveling the Nuances of 403 Bypass: Strengthening Web Application Security

Private Interact.sh server setup with a web dashboard

Private Interact.sh server setup with a web dashboard

Found Multiple Bugs :: XSS, MITM, Sec-MisConf :: In an Educational Site

Found Multiple Bugs :: XSS, MITM, Sec-MisConf :: In an Educational Site

Trending

1. Tech Mahindra
2. Tejasvi Surya
3. Pavi Caretaker
4. NBSE Result 2024
5. HUDCO share price
6. Yodha
7. Bajaj Finance share price
8. Laapataa Ladies
9. The Family Star
10. Rathnam

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved