IDOR & File Inclusion

YCZHU

6 min readApr 16, 2023

Task 1 What is an IDOR?

IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.

Task 2 An IDOR Example

In some cases, if the user changes the value in the query may find information of others.

Task 3 Finding IDORs in Encoded IDs

The flow of string tampering:

Task 4 Finding IDORs in Hashed IDs

values of md5 hashes could be found at:

https://crackstation.net/

Task 5 Finding IDORs in Unpredictable IDs

If the Id cannot be detected using the above methods, an excellent method of IDOR detection is to create two accounts and swap the Id numbers between them. If you can view the other users’ content using their Id number while still being logged in with a different account (or not logged in at all), you’ve found a valid IDOR vulnerability.

Task 6 Where are IDORs located

Task 7 A Practical IDOR Example

Open the link and create a new account and login into.

Open the developer tool and go to network tab, we can see a call:

What is the username for user id 1?

adam84

What is the email address for user id 3?

j@fakemail.thm

File Inclusion

Task 1 Introduction

What is the risk of File inclusion?

It depends! If the attacker can use file inclusion vulnerabilities to read sensitive data. In that case, the successful attack causes to leak of sensitive data, including code and files related to the web application, credentials for back-end systems. Moreover, if the attacker somehow can write to the server such as /tmp directory, then it is possible to gain remote command execution RCE. However, it won’t be effective if file inclusion vulnerability is found with no access to sensitive data and no writing ability to the server.

Task 2 Deploy the VM

deploy the virtual box and access to the TryHackMe network

Task 3 Path Traversal

What function causes path traversal vulnerabilities in PHP?

file_get_contents

The web app is served at /var/www/app

URL query: http://webapp.thm/get.php?file=app/CVs/userCV.pdf

we can access the uverCV.pdf from the path /var/www/app/CVs/userCV.pdf

to navigate to the root directory:http://webapp.thm/get.php?file=../../../../

Then add the path to /etc/passwd: http://webapp.thm/get.php?file=../../../../etc/passwd

Task 4 Local File Inclusion — LFI

Lab 1: there is no specific directory inside the function, we can access to /etc/passwd without input validation.

Lab 2: the include function allows us to include any called files into the current page. The following will be the exploit:http://webapp.thm/index.php?lang=../../../../etc/passwd

Task 5 Local File Inclusion — LFI #2

Give Lab #3 a try to read /etc/passwd. What is the request look like?

http://10.10.27.34/lab3.php?file=../../../../etc/passwd%00

If we add a random string such as asa into the query, we have the response:

Therefore we know we need 4 ../ to navigate to the root directory. Now we correct the query to

Again we have an error. As the task mentioned we should remove the .PHP by adding %00 because include function reads the input with .php

Which function is causing the directory traversal in Lab #4?

/lab3.php?file=../../../../etc/passwd%00

Try out Lab #6 and check what is the directory that has to be in the input field?

we add a random string to the query, we have the response:

THM-profile

Try out Lab #6 and read /etc/os-release. What is the VERSION_ID value?

12.04

Task 6 Remote File Inclusion — RFI

Requirement for opening an RFI: allow_url_fopen needs to be on

The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:

Sensitive Information Disclosure
Cross-site Scripting (XSS)
Denial of Service (DoS)

Create the cmd.txt:

Run a python web server on your local machine:

On your lab browser:

Also you have a response on your local machine if you successfully have your local cmd.txt transferred to virtual box:

Task 7 Remediation

Keep system and services, including web application frameworks, updated with the latest version.
Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn’t need them, such as allow_url_fopen on and allow_url_include.
Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
Never trust user input, and make sure to implement proper input validation against file inclusion.
Implement whitelisting for file names and locations as well as blacklisting.

Task 8 Challenge

Steps for testing for LFI

Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!
Enter a valid input to see how the web server behaves.
Enter invalid inputs, including special characters and common file names.
Don’t always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.
Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.
Understand the input validation and if there are any filters!
Try the inject a valid entry to read sensitive files

Capture Flag1 at /etc/flag1

Use BurpSuite to change the method, right-click: