Beginner Guide to File Inclusion Attack (LFI/RFI)

You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change included file.

Assume we have a standard footer file called "footer.php", that looks like this

echo "Copyright © 2010-" . date("Y") . "

To include the footer file in a page, use the include statement

Welcome to Hacking Articles

Some text.
Some more text.

Example 2

Assume we have a file called "vars.php", with some variables defined:


Welcome to my home page!

echo "I have a $color $car.";

Output: I have red BMW

PHP Require Function
The require statement is also used to include a file into the PHP code.
However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:
Example 3

Welcome to my home page!

include 'noFileExists.php';
echo "I have a $color $car.";

Output: I have a
If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

Welcome to my home page!

require 'noFileExists.php';
echo "I have a $color $car.";

No output result

PHP Required_once Function

Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.

Example 4

echo "Hello";



outputs: "Hello"

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

allow_url_include = On

File Inclusion Attacks

It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client to submit input into files or upload files to the server.

This can lead following attacks:

·         Code execution on the web server
·         Cross Site Scripting Attacks (XSS)
·         Denial of service (DOS)
·         Data Manipulation Attacks

Two Types:
Local File Inclusion
Remote File Inclusion

Local File Inclusion (LFI)

Local file inclusion vulnerability occur when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”

This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included  and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

Read complete local file inclusion attack tutorial from here

Remote File Inclusion (RFI)

Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once” , “require” , or “require_once” . PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows and attacker to embed his/her own PHP code inside  a vulnerable  PHP script , which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.

Read complete remote file inclusion attack tutorial from here

·         Strong Input Validation
·         A whitelist of acceptable inputs
·         Reject any inputs that does not strictly conform to specifications
·         For filenames, use stringent whitelists that limits the character set to be used
·         Exclude directory separators such as “/”
·         Use a whitelist of allowable file extensions
·         Environment hardening
·         Develop and run your code in the most recent versions of PHP available
·         Configure your PHP applications so that it does not use register_globals
·         Set allow_url_fopen to false, which limits the ability to include files from remote locations
·         Run your code using the lowest privileges
·         Use a vetted library or framework that does not allow this weakness.



Post a Comment