What is Local file inclusion (LFI)?
File Inclusion attack is similar to uploading attack. The difference is that uploading attack uses “uploading function” on a target site, but a file inclusion attack uses user supplied input maliciously.
Using the LFI we can execute shell command directly to the server. There are many ways to achieve this goal. With the LFI we found the following things:
- Server logs
- Mail logs
- File upload forms
- Code execution on the web server
- Code execution on the client-side
- Denial of Service (DoS)
- Sensitive Information Disclosure
We try to inject PHP code into server logs each time we use the LFI attack and execute it.We will have various problems and we will therefore look at several techniques.
The following is an example of PHP code that is vulnerable to LFI:
In the above example, an attacker could make the following request. It tricks the application into executing a PHP script as a web shell that the attacker managed to upload to the web server.
There are 5 ways to exploit LFI Vulnerability:
- Basic Local File Inclusion : In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/).
- Null Byte : In some cases the above local file inclusion attack may not work because of the high security level. I that case we have to intercept this request in the tool and just add the null character at the end of directory and forward this request.
- Base64 encode : Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.
- PHP Input : Using PHP input function we will execute injected PHP code to exploit LFI vulnerability.
- Proc/self/environ: If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command
http://example.com/?file=../../uploads/evil.php
In this case, the user running the web application is included and runs the file downloaded by the hacker. This would allow an attacker to execute any malicious code that is on the database. An attacker does not always have the ability to upload a malicious file to the application. Even though they did, there is no guarantee that the application will save your LFI vulnerability file on the same server. Even then, the attacker would still need to know the disk path to the uploaded file.
Mitigation of LFI attack:
- Hardening
- Whitelist of allowable file extensions
- Strong input validation
- Run your code using the lowest privileges
- Whitelist of acceptable inputs