Local File Inclusion (LFI)
Last Updated : 30 Sep, 2022
A File Inclusion Vulnerability is a type of Vulnerability commonly found in PHP based websites and it is used to affect the web applications. This issue generally occurs when an application is trying to get some information from a particular server where the inputs for getting a particular file location are not treated as a trusted source. It generally refers to an inclusion attack where an attacker can supply a valid input to get a response from a web server. In response, an attacker will be able to judge whether the input which he supplied is valid or not. If it is valid, then whatever/whichever file an attacker wants to see they can easily access it. Below example illustrates the working procedure of an LFI vulnerability:
php <?php // The Page we wish to display $file = $_GET['page']; ?>
Let us understand the working of Local File Inclusion via the following example: In the above example
"$file = $_GET['page'];" $file is just a file/code for indicating that the PHP code is going to return a 'file' in response. The
$_GET is one of the sets of instruction which will get a particular file or webpage from a web server i.e. it will request for a file. The
['page'] is an argument that will define what type of pages will be displayed in response.
Where Local LFI found ? Basically this the location
http://vulnerable_host/preview.php?file=abc.html
This is the place where an attacker can perform the LFI attack on web applications. The script can be included here in the URL that is containing various parameters upon which the attack will be performed. It is possible to include arbitrary files on the server. The affected URL by the attacker would be something like this:
http://vulnerable_host/preview.php?document=../../../../etc/passwd
Identifying Vulnerabilities within Web Application: Identifying LFI Vulnerability within the web application is easy as it is going to include a file from a web server and return it to the attacker.
For example "/fi/?page=include.php" LFI would be possible in such an application if the above example or something related to such example is existing in the web application. A Pentester would attempt to get benefit from this sort of misconfiguration i.e. he can exploit this vulnerability by manipulating the parameters.
For Example "/fi/?page=include.php" this will execute successfully only if the index.php" file exists in the same directory. If not, we have to add "../" ahead of "index.php" . Imagine this
"index.php" is located in the
"/var/www/html" folder and
"include.php" is located in
"/var/www/dvwa/vulnerabilities/lfi/" folder and you can see the responses of files from this folder location only. Now to execute a file located in another directory, we have to change our directory in URL.
For example "/fi/?page=../../../index.php".
There are three kinds of scenarios possible in LFI attack: - Including Files to be Parsed by the Language's Interpreter
- Including Files that are Printed to a Page
- Including Files that are Served as Downloads
Impacts of an Local File Inclusion Vulnerability: An attacker would be able to get access to the following by exploiting LFI Vulnerability:
- Information Disclosure of files stored in Web Server
- Passwords/Database Access
- Log Files
- Complete System Compromise
Remediation File Inclusion(LFI) Vulnerability: - One should not allow the file path that could be modified directly either it should be hardcoded or to be selected via hardcoded path list.
- One must make sure that the required should have dynamic path concatenation i.e must contain (a-z) (0-9) instead of (/, /% etc)
- There should be specific limit the API so that only inclusion from directories under it work so that Directory Traversal attack could not take place in this situation