191 lines
7.6 KiB
Markdown
191 lines
7.6 KiB
Markdown
---
|
|
name: path-traversal-lfi-rfi
|
|
description: Path traversal and file inclusion testing for local/remote file access and code execution
|
|
---
|
|
|
|
# Path Traversal / LFI / RFI
|
|
|
|
Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely.
|
|
|
|
## Attack Surface
|
|
|
|
**Path Traversal**
|
|
- Read files outside intended roots via `../`, encoding, normalization gaps
|
|
|
|
**Local File Inclusion (LFI)**
|
|
- Include server-side files into interpreters/templates
|
|
|
|
**Remote File Inclusion (RFI)**
|
|
- Include remote resources (HTTP/FTP/wrappers) for code execution
|
|
|
|
**Archive Extraction**
|
|
- Zip Slip: write outside target directory upon unzip/untar
|
|
|
|
**Normalization Mismatches**
|
|
- Server/proxy differences (nginx alias/root, upstream decoders)
|
|
- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams
|
|
|
|
## High-Value Targets
|
|
|
|
**Unix**
|
|
- `/etc/passwd`, `/etc/hosts`, application `.env`/`config.yaml`
|
|
- SSH keys, cloud creds, service configs/logs
|
|
|
|
**Windows**
|
|
- `C:\Windows\win.ini`, IIS/web.config, programdata configs, application logs
|
|
|
|
**Application**
|
|
- Source code templates and server-side includes
|
|
- Secrets in env dumps, framework caches
|
|
|
|
## Reconnaissance
|
|
|
|
### Surface Map
|
|
|
|
- HTTP params: `file`, `path`, `template`, `include`, `page`, `view`, `download`, `export`, `report`, `log`, `dir`, `theme`, `lang`
|
|
- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters
|
|
- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z
|
|
- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins
|
|
- Reverse proxies and static file servers (nginx, CDN) in front of app handlers
|
|
|
|
### Capability Probes
|
|
|
|
- Path traversal baseline: `../../etc/hosts` and `C:\Windows\win.ini`
|
|
- Encodings: `%2e%2e%2f`, `%252e%252e%252f`, `..%2f`, `..%5c`, mixed UTF-8 (`%c0%2e`), Unicode dots and slashes
|
|
- Normalization tests: `..../`, `..\\`, `././`, trailing dot/double dot segments; repeated decoding
|
|
- Absolute path acceptance: `/etc/passwd`, `C:\Windows\System32\drivers\etc\hosts`
|
|
- Server mismatch: `/static/..;/../etc/passwd` ("..;"), encoded slashes (`%2F`), double-decoding via upstream
|
|
|
|
## Detection Channels
|
|
|
|
### Direct
|
|
|
|
- Response body discloses file content (text, binary, base64)
|
|
- Error pages echo real paths
|
|
|
|
### Error-Based
|
|
|
|
- Exception messages expose canonicalized paths or `include()` warnings with real filesystem locations
|
|
|
|
### OAST
|
|
|
|
- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution
|
|
|
|
### Side Effects
|
|
|
|
- Archive extraction writes files unexpectedly outside target
|
|
- Verify with directory listings or follow-up reads
|
|
|
|
## Key Vulnerabilities
|
|
|
|
### Path Traversal Bypasses
|
|
|
|
**Encodings**
|
|
- Single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities
|
|
|
|
**Mixed Separators**
|
|
- `/` and `\\` on Windows; `//` and `\\\\` collapse differences across frameworks
|
|
|
|
**Dot Tricks**
|
|
- `....//` (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension
|
|
|
|
**Absolute Path Injection**
|
|
- Bypass joins by supplying a rooted path
|
|
|
|
**Alias/Root Mismatch**
|
|
- nginx alias without trailing slash with nested location allows `../` to escape
|
|
- Try `/static/../etc/passwd` and ";" variants (`..;`)
|
|
|
|
**Upstream vs Backend Decoding**
|
|
- Proxies/CDNs decoding `%2f` differently; test double-decoding and encoded dots
|
|
|
|
### LFI Wrappers and Techniques
|
|
|
|
**PHP Wrappers**
|
|
- `php://filter/convert.base64-encode/resource=index.php` (read source)
|
|
- `zip://archive.zip#file.txt`
|
|
- `data://text/plain;base64`
|
|
- `expect://` (if enabled)
|
|
|
|
**Log/Session Poisoning**
|
|
- Inject PHP/templating payloads into access/error logs or session files then include them
|
|
|
|
**Upload Temp Names**
|
|
- Include temporary upload files before relocation; race with scanners
|
|
|
|
**Proc and Caches**
|
|
- `/proc/self/environ` and framework-specific caches for readable secrets
|
|
|
|
**Legacy Tricks**
|
|
- Null-byte (`%00`) truncation in older stacks; path length truncation
|
|
|
|
### Template Engines
|
|
|
|
- PHP include/require; Smarty/Twig/Blade with dynamic template names
|
|
- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines
|
|
- Seek dynamic template resolution from user input (theme/lang/template)
|
|
|
|
### RFI Conditions
|
|
|
|
**Requirements**
|
|
- Remote includes (`allow_url_include`/`allow_url_fopen` in PHP)
|
|
- Custom fetchers that eval/execute retrieved content
|
|
- SSRF-to-exec bridges
|
|
|
|
**Protocol Handlers**
|
|
- http, https, ftp; language-specific stream handlers
|
|
|
|
**Exploitation**
|
|
- Host a minimal payload that proves code execution
|
|
- Prefer OAST beacons or deterministic output over heavy shells
|
|
- Chain with upload or log poisoning when remote includes are disabled
|
|
|
|
### Archive Extraction (Zip Slip)
|
|
|
|
- Files within archives containing `../` or absolute paths escape target extract directory
|
|
- Test multiple formats: zip/tar/tgz/7z
|
|
- Verify symlink handling and path canonicalization prior to write
|
|
- Impact: overwrite config/templates or drop webshells into served directories
|
|
|
|
## Testing Methodology
|
|
|
|
1. **Inventory file operations** - Downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors
|
|
2. **Identify input joins** - Path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations
|
|
3. **Probe normalization** - Separators, encodings, double-decodes, case, trailing dots/slashes
|
|
4. **Compare behaviors** - Web server vs application behavior
|
|
5. **Escalate** - From disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains)
|
|
|
|
## Validation
|
|
|
|
1. Show a minimal traversal read proving out-of-root access (e.g., `/etc/hosts`) with a same-endpoint in-root control
|
|
2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (`php://filter` base64 of index.php)
|
|
3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads
|
|
4. For Zip Slip, create an archive with `../` entries and show write outside target (e.g., marker file read back)
|
|
5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility
|
|
|
|
## False Positives
|
|
|
|
- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage)
|
|
- Canonicalized paths constrained to an allowlist/root after normalization
|
|
- Wrappers disabled and includes using constant templates only
|
|
- Archive extractors that sanitize paths and enforce destination directories
|
|
|
|
## Impact
|
|
|
|
- Sensitive configuration/source disclosure → credential and key compromise
|
|
- Code execution via inclusion of attacker-controlled content or overwritten templates
|
|
- Persistence via dropped files in served directories; lateral movement via revealed secrets
|
|
- Supply-chain impact when report/template engines execute attacker-influenced files
|
|
|
|
## Pro Tips
|
|
|
|
1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise
|
|
2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for `%2f` and `%2e` encodings
|
|
3. For LFI, prefer `php://filter` base64 probes over destructive payloads; enumerate readable logs and sessions
|
|
4. Validate extraction code with synthetic archives; include symlinks and deep `../` chains
|
|
5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems
|
|
|
|
## Summary
|
|
|
|
Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO.
|