File inclusion
Vulnerabilities include: path/directory traversal (dot-dot-slash) and local/remote file inclusion. Related techniques will be discussed.
The most common default base directory for web content is/var/www, such as: /var/www/html.
List of common files to read
The following list includes some of the common files to read when a file inclusion vulnerability is discovered:
Linux
/proc/version: Version of the Linux kernel/etc/shadow: contains information about all registered user that has access to a system/etc/passwd: contains information about the system's users' passwords/root/.bash_history: contains the history commands for root user/root/.ssh/id_rsa: contains private SSH keys for a root or any known valid user on the server
Windows
C:\boot.ini: contains the boot options for computers with BIOS firmware
Path traversal attack with wfuzz
Eg. Suppose we have found a PHP file on the server named file.php that accepts a query parameter input, allowing us to view the contents of a specified file. A fuzzing tool can be used to test the paths that may be vulnerable to a traversal attack.
Basic command with wfuzz:
Sometimes, there may be many unnecessary results returned. Filter flags such as --hc,--hl can be used to filter unwanted results.
The following wordlist can be used: /usr/share/wfuzz/wordlist/Injections/traversal.txt
Null-byte injection
A null-byte is a control character with a value of zero, that can be represented as 0x00 in hex, %00 in url-encoding or simply\0 in the C programming language (where it represents the end of a string; also known as a null terminator or null character).
In the null-byte injection attack, the null-byte is used to bypass input validations. Languages used on the web such as PHP uses similar string-handling methods to those in the C programming language. Thus, it is vulnerable to this attack, as the null-byte character is interpreted as the string terminator, which can cause input to be prematurely terminated.
Automated file inclusion tool (test pending...)
Last updated
