Strictly speaking, file inclusion is a kind of code injection, discussed on injection attack, through which the hacker can inject a script or code into a system to be able to execute applications on the server side. A typical representative of code injection is file inclusion. File inclusion may appear in JSP, PHP, and other languages. The common functions in file inclusion are the following:
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(),...
JSP/Servlet: ava.io.File(), java.io.FileReader(),...
ASP: include file, include virtual,...
In the history of Internet security, PHP file inclusion has been notorious, because hackers find numerous file inclusion vulnerabilities in various PHP applications, the consequences of which are very serious.
File inclusion is a common method of exploiting PHP, mainly by using four functions:
- include()
- require()
- include_once()
- require_once()
When using these four functions to include a new file, the file will be executed as a PHP code, but PHP kernel is not concerned about what type of file is included. So if txt files, image files, or remote URL are included, they will be executed in PHP code. This feature is very useful when implementing an attack. For example, the following code can be used to include a file under the same directory.
<?php include($_GET[test]); ?>
The following function is used when the txt file includes an executable PHP code. While the URL of vulnerability is executed again, we find that code has already been executed.
To successfully exploit file inclusion vulnerabilities, the following two conditions need to be met:
- The function include() must be used to include files through dynamic variables.
- The user can control the dynamic variables.