In this article we will learn about File inclusion attacks
Introduction[File inclusion attacks]
A file injection vulnerability allows an attacker to access unauthorized or sensitive files available on a web server or execute malicious files on a web server via the “include” function. This vulnerability is primarily caused by a poor input validation mechanism where user input is passed to include statements without proper validation. The impact of this vulnerability can lead to the execution of malicious code on the server or reveal data present in sensitive files, etc.
Before we get into the details of this vulnerability, let’s briefly understand how the “include” command works. Simply put, the include command takes all the content present in the specified file and copies it to the file that contains the include command.
File include methods are used to avoid recoding and reuse. Developers can also use include statements to include data common to most files in an application. The most common use of the include statement is for footers, headers, menu files, etc. The example below explains the basic use of the include function.
Now the “menu.php” file is included in the abc.html file and whenever the “abc.html” file is accessed, the code present in the “menu.php” file is copied to the “abc.html” file and is executed.
Now that the workings of the include statement are clear, let’s move on to the file inclusion vulnerability. Next, we’ll look at file inclusion vulnerabilities in two different categories, depending on whether it’s a remotely hosted file or a local file available on a web server:
- Remote include file
- Include local file
Remote include file
RFI allows an attacker to include and execute a remotely hosted file using a script by including it in the attack page. An attacker can use RFI to run malicious code either on the client side or on the server. The impact of this attack can vary from temporarily stealing session tokens or data when the client is the target, to complete system compromise when the application server is the target.
Remote include file in PHP
PHP is highly vulnerable to RFI attacks due to the extensive use of file include commands and the default server configuration. First, we need to find the location where the remote file is included in the application based on user input. The user input is taken by the include functions in PHP and without proper input validation, the target site will execute whatever input is provided in the vulnerability parameter.
One of the vulnerable places could be the following, where the value of the “testfile” parameter is entered by the user: www.victim_site.com/abc.php?testfile=example
The vulnerable PHP code is as follows: $test = $_REQUEST[“testfile”]; Include($test.”.php”);
In the code above, the “testfile” parameter is taken from the request and is the value entered by the user. The code will take the value of “testfile” and directly include it in the PHP file.
The following is one of the possible attack vectors for the above vulnerable PHP code:
The “attack_page” file is now included in the vulnerable include page available on the server and will be executed whenever the “abc.php” page is accessed or executed. An attacker can carve malicious code into this “attack_page” and perform malicious activities.
Remotely include a file in a JSP
Consider a scenario where a JSP page uses the “c:import” tag as follows to import a user-supplied remote file into the current JSP page via the “test” input parameter.
The following vector can be one of the attack vectors for the above code:
The malicious script present in “stealingcookie.js”, which is available on the remote host and controlled by the attacker, is now imported to the victim’s website.
Include local file
The local file inclusion vulnerability is the process of including local files available on the server. This vulnerability occurs when user input contains a path to a file that must be included. If such input is not properly sanitized, an attacker can enter some default filenames and gain access to unauthorized files, or an attacker can also use directory traversal characters to retrieve sensitive files available in other directories.
Including a local file in PHP:
- Consider an example as follows where we can apply this attack.
- The value of “file” parameter is taken into the following PHP code, and the file is included:
An attacker can now provide malicious input to the “file” parameter, which could obtain unauthorized files located in the same directory, or use directory traversal characters such as “/” to move to other directories.
For example, an attacker can obtain logs by specifying input such as “/apache/logs/error.log” or “/apache/logs/access.log”, or obtain user credentials by specifying input such as “/.. /etc/passwd” in the system similar to UNIX.
In special cases where the file extension is the default type that is added to the user input during file embedding, the best way to avoid adding the default extension is to use the null byte terminator ” %00″. A script that enforces a file extension may be secure, but the user input given to it by appending the null byte “%00” to the end of the URL can be used to perform malicious activity by accessing any file type.
Assume that the given input is taken from the following code and the default extension being set is “.php”.
Now, if an attacker wants to access a file that is not of type “txt”, the attacker can use %00 (zero byte character) after the file name. Therefore, the attack vector for the above code could be the following, which retrieves a password file available on a UNIX-like web server.
To include a local file in a JSP:
Suppose the following URL is requested in an application and the “test” parameter is taken as input in the include statement: www.victim_site.com/abc.jsp?test=xyz.jspThe value of the test parameter is passed to the include statement present in the following code:
The attack vector for the above code could be as follows, where a valid database file can be given as input, and due to the application vulnerability contained in the local file, the database file is included in the JSP page: www.victim_site. com/abc.jsp?test=/WEB-INF/database/passwordDB
Since the root cause of these vulnerabilities is improper input validation, the remediation suggestions for the include file mainly revolve around sanitizing the input received.
Use only characters and numbers (A-Z 0-9) for file names. Disable all special characters that are useless in the file name.
Limit the API to only include files from one allowed directory to also prevent directory traversal.
From the information above, we can conclude that file inclusion attacks can sometimes be more harmful than SQL injection, etc. — so there is a great need to fix such vulnerabilities. And proper input validation is the only key to avoid such vulnerabilities.
Also Read:Ethical Hacking Interview Questions 2023