first commit
This commit is contained in:
@@ -0,0 +1,190 @@
|
||||
---
|
||||
name: path-traversal-lfi-rfi
|
||||
description: Path traversal and file inclusion testing for local/remote file access and code execution
|
||||
---
|
||||
|
||||
# Path Traversal / LFI / RFI
|
||||
|
||||
Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely.
|
||||
|
||||
## Attack Surface
|
||||
|
||||
**Path Traversal**
|
||||
- Read files outside intended roots via `../`, encoding, normalization gaps
|
||||
|
||||
**Local File Inclusion (LFI)**
|
||||
- Include server-side files into interpreters/templates
|
||||
|
||||
**Remote File Inclusion (RFI)**
|
||||
- Include remote resources (HTTP/FTP/wrappers) for code execution
|
||||
|
||||
**Archive Extraction**
|
||||
- Zip Slip: write outside target directory upon unzip/untar
|
||||
|
||||
**Normalization Mismatches**
|
||||
- Server/proxy differences (nginx alias/root, upstream decoders)
|
||||
- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams
|
||||
|
||||
## High-Value Targets
|
||||
|
||||
**Unix**
|
||||
- `/etc/passwd`, `/etc/hosts`, application `.env`/`config.yaml`
|
||||
- SSH keys, cloud creds, service configs/logs
|
||||
|
||||
**Windows**
|
||||
- `C:\Windows\win.ini`, IIS/web.config, programdata configs, application logs
|
||||
|
||||
**Application**
|
||||
- Source code templates and server-side includes
|
||||
- Secrets in env dumps, framework caches
|
||||
|
||||
## Reconnaissance
|
||||
|
||||
### Surface Map
|
||||
|
||||
- HTTP params: `file`, `path`, `template`, `include`, `page`, `view`, `download`, `export`, `report`, `log`, `dir`, `theme`, `lang`
|
||||
- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters
|
||||
- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z
|
||||
- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins
|
||||
- Reverse proxies and static file servers (nginx, CDN) in front of app handlers
|
||||
|
||||
### Capability Probes
|
||||
|
||||
- Path traversal baseline: `../../etc/hosts` and `C:\Windows\win.ini`
|
||||
- Encodings: `%2e%2e%2f`, `%252e%252e%252f`, `..%2f`, `..%5c`, mixed UTF-8 (`%c0%2e`), Unicode dots and slashes
|
||||
- Normalization tests: `..../`, `..\\`, `././`, trailing dot/double dot segments; repeated decoding
|
||||
- Absolute path acceptance: `/etc/passwd`, `C:\Windows\System32\drivers\etc\hosts`
|
||||
- Server mismatch: `/static/..;/../etc/passwd` ("..;"), encoded slashes (`%2F`), double-decoding via upstream
|
||||
|
||||
## Detection Channels
|
||||
|
||||
### Direct
|
||||
|
||||
- Response body discloses file content (text, binary, base64)
|
||||
- Error pages echo real paths
|
||||
|
||||
### Error-Based
|
||||
|
||||
- Exception messages expose canonicalized paths or `include()` warnings with real filesystem locations
|
||||
|
||||
### OAST
|
||||
|
||||
- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution
|
||||
|
||||
### Side Effects
|
||||
|
||||
- Archive extraction writes files unexpectedly outside target
|
||||
- Verify with directory listings or follow-up reads
|
||||
|
||||
## Key Vulnerabilities
|
||||
|
||||
### Path Traversal Bypasses
|
||||
|
||||
**Encodings**
|
||||
- Single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities
|
||||
|
||||
**Mixed Separators**
|
||||
- `/` and `\\` on Windows; `//` and `\\\\` collapse differences across frameworks
|
||||
|
||||
**Dot Tricks**
|
||||
- `....//` (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension
|
||||
|
||||
**Absolute Path Injection**
|
||||
- Bypass joins by supplying a rooted path
|
||||
|
||||
**Alias/Root Mismatch**
|
||||
- nginx alias without trailing slash with nested location allows `../` to escape
|
||||
- Try `/static/../etc/passwd` and ";" variants (`..;`)
|
||||
|
||||
**Upstream vs Backend Decoding**
|
||||
- Proxies/CDNs decoding `%2f` differently; test double-decoding and encoded dots
|
||||
|
||||
### LFI Wrappers and Techniques
|
||||
|
||||
**PHP Wrappers**
|
||||
- `php://filter/convert.base64-encode/resource=index.php` (read source)
|
||||
- `zip://archive.zip#file.txt`
|
||||
- `data://text/plain;base64`
|
||||
- `expect://` (if enabled)
|
||||
|
||||
**Log/Session Poisoning**
|
||||
- Inject PHP/templating payloads into access/error logs or session files then include them
|
||||
|
||||
**Upload Temp Names**
|
||||
- Include temporary upload files before relocation; race with scanners
|
||||
|
||||
**Proc and Caches**
|
||||
- `/proc/self/environ` and framework-specific caches for readable secrets
|
||||
|
||||
**Legacy Tricks**
|
||||
- Null-byte (`%00`) truncation in older stacks; path length truncation
|
||||
|
||||
### Template Engines
|
||||
|
||||
- PHP include/require; Smarty/Twig/Blade with dynamic template names
|
||||
- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines
|
||||
- Seek dynamic template resolution from user input (theme/lang/template)
|
||||
|
||||
### RFI Conditions
|
||||
|
||||
**Requirements**
|
||||
- Remote includes (`allow_url_include`/`allow_url_fopen` in PHP)
|
||||
- Custom fetchers that eval/execute retrieved content
|
||||
- SSRF-to-exec bridges
|
||||
|
||||
**Protocol Handlers**
|
||||
- http, https, ftp; language-specific stream handlers
|
||||
|
||||
**Exploitation**
|
||||
- Host a minimal payload that proves code execution
|
||||
- Prefer OAST beacons or deterministic output over heavy shells
|
||||
- Chain with upload or log poisoning when remote includes are disabled
|
||||
|
||||
### Archive Extraction (Zip Slip)
|
||||
|
||||
- Files within archives containing `../` or absolute paths escape target extract directory
|
||||
- Test multiple formats: zip/tar/tgz/7z
|
||||
- Verify symlink handling and path canonicalization prior to write
|
||||
- Impact: overwrite config/templates or drop webshells into served directories
|
||||
|
||||
## Testing Methodology
|
||||
|
||||
1. **Inventory file operations** - Downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors
|
||||
2. **Identify input joins** - Path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations
|
||||
3. **Probe normalization** - Separators, encodings, double-decodes, case, trailing dots/slashes
|
||||
4. **Compare behaviors** - Web server vs application behavior
|
||||
5. **Escalate** - From disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains)
|
||||
|
||||
## Validation
|
||||
|
||||
1. Show a minimal traversal read proving out-of-root access (e.g., `/etc/hosts`) with a same-endpoint in-root control
|
||||
2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (`php://filter` base64 of index.php)
|
||||
3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads
|
||||
4. For Zip Slip, create an archive with `../` entries and show write outside target (e.g., marker file read back)
|
||||
5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility
|
||||
|
||||
## False Positives
|
||||
|
||||
- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage)
|
||||
- Canonicalized paths constrained to an allowlist/root after normalization
|
||||
- Wrappers disabled and includes using constant templates only
|
||||
- Archive extractors that sanitize paths and enforce destination directories
|
||||
|
||||
## Impact
|
||||
|
||||
- Sensitive configuration/source disclosure → credential and key compromise
|
||||
- Code execution via inclusion of attacker-controlled content or overwritten templates
|
||||
- Persistence via dropped files in served directories; lateral movement via revealed secrets
|
||||
- Supply-chain impact when report/template engines execute attacker-influenced files
|
||||
|
||||
## Pro Tips
|
||||
|
||||
1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise
|
||||
2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for `%2f` and `%2e` encodings
|
||||
3. For LFI, prefer `php://filter` base64 probes over destructive payloads; enumerate readable logs and sessions
|
||||
4. Validate extraction code with synthetic archives; include symlinks and deep `../` chains
|
||||
5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems
|
||||
|
||||
## Summary
|
||||
|
||||
Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO.
|
||||
Reference in New Issue
Block a user