Understanding File Inclusion
Let's delve into the concept of "file inclusion" and its potential vulnerabilities, especially tailored for beginners.
File inclusion is a common practice in programming, particularly in the context of code reusability. Developers often encapsulate frequently used functions or modules into separate files. When these functions or modules are required, they simply include these files in their code, eliminating the need to write the same code repeatedly.
In PHP, there are four primary functions for file inclusion:
include()require()include_once()require_once()
Here's a brief overview of each:
include(): This function includes a file when it is invoked. If the file is not found, PHP issues a warning, but the script continues to run.require(): This function includes a file before the script starts running. If the file is not found, PHP issues a fatal error and halts the script.include_once() and require_once(): These functions work similarly to include() and require(), but they ensure the file is included only once, even if the function is called multiple times.
File inclusion methods can be broadly categorized into two types:
- Static inclusion
- Dynamic inclusion
The distinction between these two types will be clarified with an example in the following sections.
In our course, we will be exploring three .php files located in the /home/labex/project/ directory. These are:
lfi_static.phplfi_dynamic.phpecho.php
Let's understand what each file does:
-
lfi_static.php: This file includes the echo.php file in a static manner. In other words, the path to the echo.php file is hard-coded and doesn't change. This method is secure and doesn't expose any vulnerabilities.
<?php
include("./echo.php");
?>
-
lfi_dynamic.php: This file includes other files based on a 'file' parameter in the URL. If this parameter isn't provided, it simply provides a hint on how to use it. However, this method can be risky if the parameter is controlled by an attacker.
<?php
if (isset($_GET['file'])) {
include($_GET['file']);
}
else{
echo "You can use the 'file' parameter to include files";
}
?>
-
echo.php: This file simply outputs a success message when included.
<?php
echo 'Great, now you have successfully included the content of echo.php!'
?>
Use the following commands in terminal to prepare the image for lfi test:
cd ~/projects
docker build -t lfi-image .
When the image build done, you can use the image to start a container for test the lfi vuln:
docker run -d --name lfi -p 80:80 lfi-image
Now you can test these files in your browser. For example, to access the lfi_static.php file, you would enter the following URL:
http://127.0.0.1/LFI/lfi_static.php
You'll see that the lfi_static.php file successfully includes the content of echo.php. Remember, this static method of including files is secure.
Now, let's look at the lfi_dynamic.php file. Access it using this URL:
http://127.0.0.1/LFI/lfi_dynamic.php
You'll see a prompt telling you to use the 'file' parameter. Let's do that and include echo.php:
http://127.0.0.1/LFI/lfi_dynamic.php?file=./echo.php
You'll see that echo.php is successfully included. This demonstrates how file inclusion works. It's important to remember that while this is a PHP example, the principles apply to other programming languages, even though the specific functions used might be different.
