1.Local-file-inclusion-lfi

Key Takeaways: Local File Inclusion (LFI) Attacks

Basic LFI

Exploits a parameter that directly includes a file.

Example:

### Directly includes a file based on user input
include($_GET['language']);

Allows reading local files by manipulating the parameter.

Path Traversal

Bypasses directory restrictions using relative paths (../).

Example:

### Uses relative path traversal to escape intended directory
include("./languages/" . $_GET['language']);

Enables escaping the intended directory to access other files.

Filename Prefix Handling

Some applications prepend a prefix to included filenames.

Example:

### Bypassing filename prefix by treating it as a directory
include("lang_" . $_GET['language']);

Can be bypassed by using / to treat the prefix as a directory.

Appended Extensions Bypass

Some implementations append extensions like .php.
Example:
```
### Bypassing appended extensions
include($_GET['language'] . ".php");
```
- Common bypasses include null byte injections and PHP wrappers (discussed below).

Second-Order LFI

Occurs when LFI is exploited through indirect user input (e.g., database entries).

Example:

### Injecting LFI payload via user-controlled database input
$username = getUsernameFromDB($_GET['id']);
include($username);

Highlights the importance of sanitizing all user-controlled data.

Platform Agnostic Nature

LFI techniques apply across various backend languages and frameworks.

Additional Considerations

Null Byte Injection (Older PHP)

In older PHP versions, appending a null byte (%00) could truncate the filename and bypass appended extensions.

Example:

### Exploiting null byte injection to bypass extension appending
include("/etc/passwd%00");

This is less effective in modern PHP versions.

PHP Wrappers and Filters

PHP wrappers like php://filter allow encoding/decoding files, enabling attackers to read source code even if it’s executed.

Example:

### Using PHP wrappers to read source code
include("php://filter/convert.base64-encode/resource=index.php");

Log File Poisoning

Attackers can inject data into log files and later include those logs using LFI to execute arbitrary code.
Often used for achieving Remote Code Execution (RCE).

Error Handling

Detailed error messages should be disabled in production environments.
Attackers can leverage errors to map the server's file structure.

Input Sanitization

Proper validation and sanitization of user input prevent LFI vulnerabilities.
Whitelisting allowed characters and file paths is a best practice.

Security Headers

While not a direct mitigation, security headers add an additional layer of defense against exploitation.

Previous1.File Disclosure Next2.Basic-bypasses

Last updated 12 days ago

1.Local-file-inclusion-lfi

Key Takeaways: Local File Inclusion (LFI) Attacks

Basic LFI

Exploits a parameter that directly includes a file.

Example:

### Directly includes a file based on user input
include($_GET['language']);

Allows reading local files by manipulating the parameter.

Path Traversal

Bypasses directory restrictions using relative paths (../).

Example:

### Uses relative path traversal to escape intended directory
include("./languages/" . $_GET['language']);

Enables escaping the intended directory to access other files.

Filename Prefix Handling

Some applications prepend a prefix to included filenames.

Example:

### Bypassing filename prefix by treating it as a directory
include("lang_" . $_GET['language']);

Can be bypassed by using / to treat the prefix as a directory.

Appended Extensions Bypass

Some implementations append extensions like .php.
Example:
```
### Bypassing appended extensions
include($_GET['language'] . ".php");
```
- Common bypasses include null byte injections and PHP wrappers (discussed below).

Second-Order LFI

Occurs when LFI is exploited through indirect user input (e.g., database entries).

Example:

### Injecting LFI payload via user-controlled database input
$username = getUsernameFromDB($_GET['id']);
include($username);

Highlights the importance of sanitizing all user-controlled data.

Platform Agnostic Nature

LFI techniques apply across various backend languages and frameworks.

Additional Considerations

Null Byte Injection (Older PHP)

In older PHP versions, appending a null byte (%00) could truncate the filename and bypass appended extensions.

Example:

### Exploiting null byte injection to bypass extension appending
include("/etc/passwd%00");

This is less effective in modern PHP versions.

PHP Wrappers and Filters

PHP wrappers like php://filter allow encoding/decoding files, enabling attackers to read source code even if it’s executed.

Example:

### Using PHP wrappers to read source code
include("php://filter/convert.base64-encode/resource=index.php");

Log File Poisoning

Attackers can inject data into log files and later include those logs using LFI to execute arbitrary code.
Often used for achieving Remote Code Execution (RCE).

Error Handling

Detailed error messages should be disabled in production environments.
Attackers can leverage errors to map the server's file structure.

Input Sanitization

Proper validation and sanitization of user input prevent LFI vulnerabilities.
Whitelisting allowed characters and file paths is a best practice.

Security Headers

While not a direct mitigation, security headers add an additional layer of defense against exploitation.

Previous1.File Disclosure Next2.Basic-bypasses

Last updated 12 days ago