Local File Inclusion (LFI)

What is Local file inclusion (LFI)?

File Inclusion attack is similar to uploading attack. The difference is that uploading attack uses “uploading function” on a target site, but a file inclusion attack uses user supplied input maliciously.

Using the LFI we can execute shell command directly to the server. There are many ways to achieve this goal. With the LFI we found the following things:

  • Server logs
  • Mail logs
  • File upload forms
  • Code execution on the web server
  • Code execution on the client-side
  • Denial of Service (DoS)
  • Sensitive Information Disclosure

We try to inject PHP code into server logs each time we use the LFI attack and execute it.We will have various problems and we will therefore look at several techniques.

The following is an example of PHP code that is vulnerable to LFI:

In the above example, an attacker could make the following request. It tricks the application into executing a PHP script as a web shell that the attacker managed to upload to the web server.

There are 5 ways to exploit LFI Vulnerability:

  1. Basic Local File Inclusion : In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/).
  2. Null Byte : In some cases the above local file inclusion attack may not work because of the high security level. I that case we have to intercept this request in the tool and just add the null character at the end of directory and forward this request.
  3. Base64 encode : Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.
  4.  PHP Input : Using PHP input function we will execute injected PHP code to exploit LFI vulnerability.
  5. Proc/self/environ: If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command

In this case, the user running the web application is included and runs the file downloaded by the hacker. This would allow an attacker to execute any malicious code that is on the database. An attacker does not always have the ability to upload a malicious file to the application. Even though they did, there is no guarantee that the application will save your LFI vulnerability file on the same server. Even then, the attacker would still need to know the disk path to the uploaded file.

Mitigation of LFI attack:

  • Hardening
  • Whitelist of allowable file extensions
  • Strong input validation
  • Run your code using the lowest privileges
  • Whitelist of acceptable inputs
Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.