File inclusion

Vulnerabilities include: path/directory traversal (dot-dot-slash) and local/remote file inclusion. Related techniques will be discussed.

The most common default base directory for web content is/var/www, such as: /var/www/html.

List of command files to read

The following list includes some of the common files to read when a file inclusion vulnerability is discovered:

Linux

  • /proc/version: Version of the Linux kernel

  • /etc/shadow: contains information about all registered user that has access to a system

  • /etc/passwd: contains information about the system's users' passwords

  • /root/.bash_history: contains the history commands for root user

  • /root/.ssh/id_rsa: contains private SSH keys for a root or any known valid user on the server

Windows

  • C:\boot.ini: contains the boot options for computers with BIOS firmware

Path traversal attack with wfuzz

Basic command:

$ wfuzz -w <path_to_wordlist> <url>/file.php?input=FUZZ

Sometimes, there may be many unnecessary results returned. Filter flags such as --hc,--hl can be used to filter unwanted results.

Using the wordlist provided by wfuzz

$ wfuzz -w /usr/share/wfuzz/wordlist/Injections/traversal.txt <url>/file.php?input=FUZZ

Null-byte injection

A null-byte is a control character with a value of zero, that can be represented as 0x00 in hex, %00 in url-encoding or simply\0 in the C programming language (where it represents the end of a string; also known as a null terminator or null character).

In the null-byte injection attack, the null-byte is used to bypass input validations. Languages used on the web such as PHP uses similar string-handling methods to those in the C programming language. Thus, it is vulnerable to this attack, as the null-byte character is interpreted as the string terminator, which can cause input to be prematurely terminated.

This issue is fixed in PHP 5.3.4. https://bugs.php.net/bug.php?id=39863

Automated file inclusion tool (not tested)

Last updated