File inclusion & Path traversal

Vulnerabilities include: path/directory traversal (dot-dot-slash) and local/remote file inclusion. Related techniques will be discussed.

LogoTryHackMe | Cyber Security TrainingTryHackMe

The most common default base directory for web content is/var/www, such as: /var/www/html.

List of common files to read

The following list includes some of the common files to read when a file inclusion vulnerability is discovered:

Linux

  • /proc/version: Version of the Linux kernel

  • /etc/shadow: contains information about all registered user that has access to a system

  • /etc/passwd: contains information about the system's users' passwords

  • /root/.bash_history: contains the history commands for root user

  • /root/.ssh/id_rsa: contains private SSH keys for a root or any known valid user on the server

Windows

  • C:\boot.ini: contains the boot options for computers with BIOS firmware

Path traversal attack with wfuzz

Eg. Suppose we have found a PHP file on the server named file.php that accepts a query parameter input, allowing us to view the contents of a specified file. A fuzzing tool can be used to test the paths that may be vulnerable to a traversal attack.

Basic command with wfuzz:

$ wfuzz -w <path_to_wordlist> <url>/file.php?input=FUZZ

Sometimes, there may be many unnecessary results returned. Filter flags such as --hc,--hl can be used to filter unwanted results.

The following wordlist can be used: /usr/share/wfuzz/wordlist/Injections/traversal.txt

LogoBasic Usage — Wfuzz 2.1.4 documentation
Fuzzing examples

Null-byte injection

A null-byte is a control character with a value of zero, that can be represented as 0x00 in hex, %00 in url-encoding or simply\0 in the C programming language (where it represents the end of a string; also known as a null terminator or null character).

In the null-byte injection attack, the null-byte is used to bypass input validations. Languages used on the web such as PHP uses similar string-handling methods to those in the C programming language. Thus, it is vulnerable to this attack, as the null-byte character is interpreted as the string terminator, which can cause input to be prematurely terminated.

This issue is fixed in PHP 5.3.4. https://bugs.php.net/bug.php?id=39863

Automated file inclusion tool

LogoGitHub - kurobeats/fimap: fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.GitHub

PreviousServer-side Request Forgery (SSRF)NextPHP wrappers

Last updated