New to CAPEC? Start Here
Home > CAPEC List > CAPEC-252: PHP Local File Inclusion (Version 3.9)  

CAPEC-252: PHP Local File Inclusion

Attack Pattern ID: 252
Abstraction: Detailed
View customized information:
+ Description
The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.251Local Code Inclusion
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Survey application: Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find. The adversary is looking for URLs that show PHP file inclusion is used, which can look something like "http://vulnerable-website/file.php?file=index.php".

    Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
    Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
    Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
  1. Attempt variations on input parameters: Once the adversary finds a vulnerable URL that takes file input, they attempt a variety of path traversal techniques to attempt to get the application to display the contents of a local file, or execute a different PHP file already stored locally on the server.

    Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of path traversal techniques used to include well known files.
    Use a proxy tool to record results of manual input of local file inclusion probes in known URLs.
  1. Include desired local file: Once the adversary has determined which techniques of path traversal successfully work with the vulnerable PHP application, they will target a specific local file to include. These can be files such as "/etc/passwd", "/etc/shadow", or configuration files for the application that might expose sensitive information.

+ Prerequisites
The targeted PHP application must have a bug that allows an attacker to control which code file is loaded at some juncture.
+ Resources Required
The attacker needs to have enough access to the target application to control the identity of a locally included PHP file.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-621] "OWASP Vulnerabilities". PHP File Inclusion. The Open Web Application Security Project (OWASP). <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated References
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018