White Hat Institute

Local file inclusion using PHP include

PHP has several wrappers that can often be abused to bypass various input filters. Using the PHP input function, it is possible to execute a command or inject PHP code to exploit local file inclusion vulnerability. In this example, we will show you how to use a handy Firefox plugin called “Hackbar.” This plugin is used by many penetration testing professionals to perform manual web security testing on their browsers. To install it to your browser, search for “Hackbar” from add-ons and add it to Firefox.

Local File Inclusion

To view “Hackbar” on the web browser, press on the “F9” key, and it will appear on the screen. To work and manipulate the link of the target web page, click on the “Load” button, and the URL will be loaded to the “Hackbar” page. From there replace the last statement of the URL that ends with “lang_en.php&action=go” to “php://input&cmd=ls” PHP input function.

Local File Inclusion 5

Then check the “Enable Post data” box and type the following PHP command.

Ex: (<?php system($_GET[‘cmd’]); ?>).

This type of PHP includes a function that should display the directories of the victim device.

Local File Inclusion 6