Local File Inclusion

  • Local file inclusion can give access to local files hosted on the server

  • these are common within templating engines which make every webpage look the same.

  • what out for url formats like /index.php?page=about

  • PHP

    • include() can be used to load a local or remote file

    • if it is taken from a user-controlled paramater, the code does not explicitly filter and sanitize the user input.

    • other vulnerable functions are:

      • include_once(), require(), require_once(), file_get_contents()

  • NodeJS

    • Look for render() to read files

  • java

    • In Java code, look for include or import

  • .Net

    • Response.WriteFile

    • html.Partial

    • include

Function
Read Content
Execute
Remote URL

PHP

include()/include_once()

Y

Y

Y

require()/require_once()

Y

Y

N

file_get_contents()

Y

N

Y

fopen()/file()

Y

N

N

NodeJS

fs.readFile()

Y

N

N

fs.sendFile()

Y

N

N

res.render()

Y

Y

N

Java

include

Y

N

N

import

Y

Y

Y

.NET

@Html.Partial()

Y

N

N

@Html.RemotePartial()

Y

N

Y

Response.WriteFile()

Y

N

N

include

Y

Y

Y

Last updated