Post

File Inclusion (LFI/RFI)

Posted
By Stuocs
3 min read
File Inclusion (LFI/RFI)

LFI Inclusion

1

http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php/?file=pHp://FilTer/convert.base64-encode/resource=index.html

This is a crafted Local File Inclusion (LFI) payload that leverages a PHP wrapper to read source code from a file (index.html) in base64 encoded format, bypassing normal output filtering or interpretation.

Detailed Breakdown:

  • file=pHp://FilTer/convert.base64-encode/resource=index.html:

    • The php://filter wrapper is a native PHP feature allowing filters to be applied to streams, including files.

    • convert.base64-encode: This filter base64-encodes the content of the specified resource instead of directly outputting it.

    • resource=index.html: Defines the target file whose content will be encoded and displayed.

  • The use of case manipulation (pHp://FilTer) helps bypass poorly implemented protections that block keywords by applying case-sensitive filters.

Why Use Base64-Encoding with LFI?

  • Many LFI vulnerabilities only output files if they produce valid visible content (HTML, images, etc.).

  • Sensitive files containing PHP code may not render their raw source because the server executes them.

  • Using the php://filter wrapper prevents execution and forces the server to display the raw file content in a safe, base64-encoded form.

  • The attacker can decode the base64 output to inspect the source code, revealing credentials, vulnerabilities, or hidden functionality.

Common Variations and Wrappers for LFI Exploitation:

php://filter Wrapper Examples

1
2

file=php://filter/convert.base64-encode/resource=config.php
file=php://filter/convert.base64-encode/resource=/var/www/html/index.php

Directory Traversal Variations

1
2

file=../../../../etc/passwd
file=..%2f..%2f..%2f..%2fetc%2fpasswd

Log Poisoning for Remote Code Execution

1

file=/var/log/apache2/access.log

Inject payloads into log files via user-agent or other headers, then include the log to execute the payload.

Additional Useful Wrappers from PayloadsAllTheThings

  • php://input: Include raw POST data (useful if the LFI applies to POST requests).

  • expect://: Execute system commands via Expect wrapper (if enabled).

  • data://: Inline payloads (rare, depends on server configuration).

  • zip://, phar://, glob://: Abuse compressed files or archives during inclusion.

For reference: PayloadsAllTheThings File Inclusion Wrappers

Summary

The provided LFI payload uses the php://filter wrapper to read and base64-encode the content of index.html. This allows attackers to bypass execution and view raw source code. Similar techniques are essential during web exploitation to disclose sensitive files, locate credentials, or escalate the attack.

PayloadsAllTheThings LFI Inclusion

Curl

1

curl -H 'Referer: http://merchan.thl/index.html' 'http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php?file=/etc/passwd'

This command uses curl, a tool for making HTTP requests, to exploit a Local File Inclusion (LFI) vulnerability present on the target merchan.thl.

Breakdown of the Command:

  • curl: Command-line tool for transferring data using various protocols (HTTP, HTTPS, FTP, etc.).

  • -H 'Referer: http://merchan.thl/index.html': Adds a Referer header to simulate that the request originated from index.html. This can help bypass basic restrictions or filtering mechanisms based on request headers.

  • 'http://merchan.thl/2e81eb4e952a3268babddecad2a4ec1e.php?file=/etc/passwd':

    • Accesses the vulnerable PHP file 2e81eb4e952a3268babddecad2a4ec1e.php.

    • Sends a parameter file=/etc/passwd, attempting to include and read the system’s /etc/passwd file, which contains user account information.

Why is /etc/passwd Showing?

  • This confirms the presence of an LFI vulnerability, where the application improperly handles user-controlled input and allows inclusion of arbitrary files from the server’s filesystem.

  • /etc/passwd is a common file targeted during LFI testing because it’s universally present on Unix/Linux systems and readable by normal users.

LFI (Local File Inclusion) Deep Explanation

LFI occurs when user input is used in file-handling functions without proper sanitization, such as:

1

<?php include($_GET['file']); ?>

If an attacker can control the file parameter, they can force the server to include sensitive files or execute unintended scripts.

Typical LFI Exploitation Paths

  • Reading System Files:
1
2
3
4

/etc/passwd
/etc/hostname
/proc/self/environ
/var/www/html/config.php
  • Log File Poisoning (leading to Remote Code Execution):
    Inject PHP code into logs and include the log:
1

file=/var/log/apache2/access.log
  • PHP Filter Wrappers (for Source Code Disclosure):
1

file=php://filter/convert.base64-encode/resource=index.php
  • Bypassing Restrictions with Directory Traversal:
1

file=../../../../etc/passwd
  • Null Byte Injection (Legacy PHP, pre-5.3):
1

file=/etc/passwd%00

Additional Useful curl Arguments

  • -i: Show response headers.

  • -s: Silent mode (suppress progress bar).

  • -X <method>: Specify request method (GET, POST, etc.).

  • -d <data>: Send POST data.

  • -b <cookie>: Send cookies with request.

  • -H <header>: Add custom headers.

  • -k: Allow insecure SSL connections.

  • -o <file>: Save output to a file.

  • --proxy <proxy>: Send request through a proxy.

Summary

The command confirms a working Local File Inclusion (LFI) vulnerability on merchan.thl. Using the Referer header may have helped bypass simple 403 or referer-based protections.

This LFI can potentially escalate to Remote Code Execution (RCE) via log poisoning, environment variable inclusion, or further file discovery, depending on server configuration and accessible files.

02-Web-Exploitation, LFI-RFI
lfi rfi directory-traversal wrappers
This post is licensed under CC BY 4.0 by the author.