File Inclusion Vulnerabilities (LFI/RFI)

File inclusion vulnerabilities occur when applications dynamically include files based on user input without proper validation. These powerful vulnerabilities can lead to information disclosure, source code exposure, and even remote code execution.

Understanding File Inclusion

Web applications often need to include files dynamically. PHP include and require functions load external files at runtime. When the filename comes from user input without sanitization, attackers gain control over which files get loaded.

Local File Inclusion (LFI)

LFI allows reading files from the server filesystem. The classic example exploits path traversal to escape the intended directory. Common targets for LFI exploitation include:

Linux Systems:

• /etc/passwd - User enumeration


• /etc/shadow - Password hashes (if readable)


• /var/log/apache2/access.log - Log poisoning


• /proc/self/environ - Environment variables

Windows Systems:

• Windows hosts file


• Windows configuration files


• IIS log files

LFI to RCE Techniques

Log Poisoning

Inject PHP code into log files, then include them. The User-Agent header is written to access logs, which can be included via LFI.

PHP Wrappers

Use PHP stream wrappers for various attacks. The filter wrapper reads source code, while the input wrapper executes code from POST data.

Remote File Inclusion (RFI)

RFI is more dangerous as it allows including files from external servers. For RFI to work, PHP settings must allow remote includes.

Prevention

Applications should never use user input directly in file operations. Proper defenses include whitelisting allowed files, using parameterized includes, and disabling remote file inclusion.