Natas7 - File Inclusion Vulnerability

29 Jan 2021 - OverTheWire - Natas

website: http://natas7.natas.labs.overthewire.org/ (password: 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9)

After logging into natas7, I could see this page has two links. Clicking on the links directs me to different pages. For example, http://natas7.natas.labs.overthewire.org/index.php?page=about. This reminds me the File Inclusion Vulnerability, that is, a web application naively builds a file path from a user’s input without being sanitized. Moreover, the page source has a comment saying that password for webuser natas8 is in /etc/natas_webpass/natas8. Thus, I tried the following cURL command and it returned me the password for natas8:

curl http://natas7:7z3hEENjQtflzgnT29q7wAvMNfZdh0i9@natas7.natas.labs.overthewire.org?page=/etc/natas_webpass/natas8

CONCLUSION

File inclusion vulnerability is typically related with PHP functions such as include() and require(). In these functions, another file will be sourced into the current page for display or execution. If parameters of these functions come from user inputs and are not validated, then an attacker can exploit this vulnerability to include malicious code from remote sources.

References

• https://en.wikipedia.org/wiki/File_inclusion_vulnerability
• https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion