Introduction to LFI
Local File Inclusion (LFI) is a vulnerability that allows an attacker to read files that are stored on the (local) web server, through the vulnerable web application. In some cases the attacker is able to upload a shell script and gain access to the files stored in the user’s directories.

The reason that this happens is that the web application does not properly sanitize its input parameter.

Exploitation
Lets have a look at the following PHP code, which is often used to create a site navigation:

This code will include a file in to the site, so lets assume this vulnerable code is running on our website, the URL could look like:

What will happen is that the file home.php will be included in the site. This can be exploited by doing the following:

This will include the (local) file /etc/passwd and display its content on the website.

Here is another piece of PHP code:

This code will also include a file in to the site, but this time it will add .php at the end of the filename. The URL could look like:

What happens is that the script reads the content of the variable file, which is home in this example and adds .php to it. The results is home.php and the script includes it in the site.

Now, you may think that this solves your problem to LFI attacks because if you try to include the /etc/passwd the script will add .php to the filename. Unfortunately this does not solve LFI attacks because of Null Byte Injections.

Null Byte Exploitation
Null Byte Injection is an exploitation technique used to bypass sanity checking filters in web applications, by adding URL-encoded null byte characters such as %00 or 0×00. A null byte represents the string termination point which means to stop processing the string immediately. Anything after the null byte will be ignored.

In this case it is still possible to display the local file /etc/passwd by entering the following URL:


Preventing Local File Inclusion
There are several ways to protect against Local File Inclusion attacks. Two most common options are secure coding and hardening PHP.

To prevent LFI attacks from the application level, the following PHP code can be used:

When the parameter file is being tampered with, the script will do nothing.

To prevent Local File Inclusion attacks from within PHP, enable open_basedir. Open_basedir limit the files that can be accessed by PHP to the specified directory-tree. This can be done in the php.ini file.

In this article, a more advanced attack scenario regarding LFI is explained: How LFI could lead to shell access.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someonePin on Pinterest0Share on Reddit0Digg thisShare on Tumblr0Share on Yummly0Share on StumbleUpon0Flattr the author