File inclusion
Vulnerabilities include: path/directory traversal (dot-dot-slash) and local/remote file inclusion. Related techniques will be discussed.
The most common default base directory for web content is/var/www
, such as: /var/www/html
.
List of command files to read
The following list includes some of the common files to read when a file inclusion vulnerability is discovered:
Linux
/proc/version
: Version of the Linux kernel/etc/shadow
: contains information about all registered user that has access to a system/etc/passwd
: contains information about the system's users' passwords/root/.bash_history
: contains the history commands for root user/root/.ssh/id_rsa
: contains private SSH keys for a root or any known valid user on the server
Windows
C:\boot.ini
: contains the boot options for computers with BIOS firmware
Path traversal attack with wfuzz
Basic command:
Sometimes, there may be many unnecessary results returned. Filter flags such as --hc
,--hl
can be used to filter unwanted results.
Using the wordlist provided by wfuzz
Null-byte injection
A null-byte is a control character with a value of zero, that can be represented as 0x00
in hex, %00
in url-encoding or simply\0
in the C programming language (where it represents the end of a string; also known as a null terminator or null character).
In the null-byte injection attack, the null-byte is used to bypass input validations. Languages used on the web such as PHP uses similar string-handling methods to those in the C programming language. Thus, it is vulnerable to this attack, as the null-byte character is interpreted as the string terminator, which can cause input to be prematurely terminated.
This issue is fixed in PHP 5.3.4. https://bugs.php.net/bug.php?id=39863
Automated file inclusion tool (not tested)
Last updated