Skip to content

Local File Inclusion(LFI) Explained

Published by touhid on January 17, 2023

Hello Guys!

Today I’m gonna explain you some Local File Inclusion Tricks. If you are really interested in Web Application Pentesting and want to learn in-depth about LFI soo, you are in the right place.

Blah BLah πŸ˜› .. let’s continue our post. πŸ˜‰

Index

  • What is File Inclusion Attack?
  • What is LFI?
  • Vulnerable Source Code. (For Beginners)
  • Exploiting LFI
    • Basic LFI
    • php://filter
    • file://
    • Null Byte
    • /proc/self/environ to RCE
    • Log Poisoning to RCE
    • zip:// and rar:// wrapper to RCE
  • Conclusion

What is File Inclusion Attack?

A File Inclusion Attack, also known as a Local File Inclusion (LFI) or a Remote File Inclusion (RFI) attack, is a type of web application vulnerability that allows an attacker to include a file from a remote server or a local file system into a web page on a vulnerable website. This can be exploited to execute arbitrary code or to steal sensitive information from the server or other users. Commonly seen in PHP-based websites, the attack can be carried out by manipulating a script’s input parameters to include a file from a different location.

What is LFI?

Local File Inclusion aka LFI is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs etc.

LFI stands for Local File Inclusion. It is a type of web application vulnerability that allows an attacker to include a file from a local file system into a web page on a vulnerable website. This can be exploited to execute arbitrary code or to steal sensitive information from the server or other users. Commonly seen in PHP-based websites, the attack can be carried out by manipulating a script’s input parameters to include a file from a different location, such as a file that contains sensitive information like a password.

A successful LFI attack can allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code, and even take complete control of the affected system. To prevent LFI attacks, it is important to validate all input parameters, sanitize user-supplied data, and restrict access to sensitive files.

Let’s Understand Vulnerable Source Code

Skip this section if you don’t want to understand Vulnerable Codes or you Already know πŸ˜‰ 

When I was learning this. I found on the Internet there is very-very few sources have a depth explanation of the Vulnerable Sources Code. So I decided here. I will explain every possible detail in my article, which helps beginners better understand and implement well.

Vulnerable PHP Code.

<?php
$page = $_REQUEST['page'];
echo "<br></br";
include($page);
?>

Explain the above PHP Line By Line

  • Line 1: “<?php” here my PHP Code Start.
  • Line 2: Here Server received the page parameter using $_REQUEST[ ] superglobal variable with value and simply stored that value in the page variable for further use.
  • Line 3: print 2 break line.
  • Line 4: here “include” function directly execute or include file $page value in php.
  • Line 5: End of PHP code.

Secure PHP Code.

<?php
$file = $_GET['file'];
$allowed = array("home", "about","contact");
if (in_array($file, $allowed)) {
    include($file);
} else {
    echo "Invalid file";
}
?>

Now let’s move on Exploitation Section πŸ˜‰

Configurational viewpoint (php.ini file)

 

Exploiting LFI 

There is more challenging to do RCE using LFI Because in Local File Inclusion(LFI) you can only use Target’s Local Files. You need to do more enumeration about a target to get a Shell on the target’s system. Here I explain some ways to exploit LFI vulnerability.

Basic LFI

The most basic form of exploiting a Local File Inclusion (LFI) vulnerability is by manipulating the input parameter to include a file from a local file system. For example, an attacker could use a URL like “http://example.com/vulnerable_script.php?file=../../../etc/passwd” to include the /etc/passwd file, which contains sensitive information such as system users and their associated passwords.

php://filter

The php://filter stream wrapper can be used to read the contents of local files. This can be exploited by crafting a URL like “http://example.com/vulnerable_script.php?file=php://filter/convert.base64-encode/resource=../../../etc/passwd” to base64-encode the contents of the /etc/passwd file.

file://

The file:// wrapper can be used to read the contents of local files. This can be exploited by crafting a URL like “http://example.com/vulnerable_script.php?file=file:///etc/passwd” to include the contents of the /etc/passwd file.

Null Bytes

A null byte can be used to bypass a file extension check in a vulnerable script. For example, if a script only includes files with the .php extension, an attacker could use a URL like “http://example.com/vulnerable_script.php?file=../../../etc/passwd%00.php” to include the /etc/passwd file.

/proc/self/environ

An attacker can use the /proc/self/environ file to inject PHP code into the User-Agent HTTP header and execute arbitrary code on the server. This can be exploited by crafting a URL like “http://example.com/vulnerable_script.php?file=/proc/self/environ&User-Agent=<?php system($_GET[‘cmd’]); ?>”

Log Poisoning to RCE

An attacker can use a log poisoning technique to inject PHP code into a log file and execute arbitrary code on the server. This can be exploited by crafting a malicious input that contains PHP code, and then wait for the script to log it. Once the log file is written, the attacker can use LFI vulnerability to include the log file and execute the injected code.

zip:// and rar:// wrapper to RCE

An attacker can use the zip:// or rar:// wrapper to include a file from a compressed archive. This can be exploited by crafting a URL like “http://example.com/vulnerable_script.php?file=zip:///var/www/backup.zip%23shell.php” or “http://example.com/vulnerable_script.php?file=rar:///var/www/backup.rar#shell.php

Conclusion

In conclusion, Local File Inclusion (LFI) is a type of web application vulnerability that allows an attacker to include a file from a local file system into a web page on a vulnerable website. LFI vulnerabilities can be exploited in a number of ways, such as by manipulating input parameters, using stream wrappers, using null bytes, and log poisoning. A successful LFI attack can allow an attacker to gain unauthorized access to sensitive data, execute arbitrary code, and even take complete control of the affected system. To prevent LFI attacks, it is important to validate all input parameters, sanitize user-supplied data, and restrict access to sensitive files.

Published inLFI and RFIWeb ApplicationWeb Attacks

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *