First of all let's say that lfi is an old vulnerability, but it still working !
So what you will know from this article ?
- 1 ) What is Local file inclusion vulnerability
- 2 ) What are the Risks of LFI vulnerability
- 3 ) How can i exploit LFI vulnerability
- 4 ) Bypass LFI Security with some tricks
1 - What is Local File Inclusion ?
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
( Source : Wikipedia )
So, like you say, local file inclusion is including some files on the current server, i mean you can't include and external file from an external URL. local file inclusion is due to the use of user input without proper validation. that's mean you can include some important files ( eg : etc/passwd file on linux or boot.ini in windows ) Also you can get the source of any php file on the server and we will see this method later.
2 - What are the Risks Of Local File Inclusion ?
using local file inclusion vulnerability, you can read some important files on the server that you can't read it as a simple user. you can even run some php codes or Read the code of any php files.but lfi also now is secured using some php tricks but we will talk later about bypassing this security.
2 - How Can i exploit Local file Inclusion vulnerabilty ?
LFI is due to the use of user-supplied input without proper validation, so we need to enter some data as a simple user to exploit LFI.
First of all let's get a simple example of a php code vulnerable with Local file inclusion.
<?php
$file = $_GET['file'];
include($file);
?>
so this is our vulnerable script, like you see first of all the php script will get an input called " file " using get method then it will include it.
for example : 127.0.0.1/lfi.php?file=index.php
index.php will be show in the page.
You can See here, in this photo, here we are testing LFI vulnerable on BTS Lab, so let's see if we can include any file.
Like you see, here it's including news.php file, let's try to include index.php and see what's will happend.
Bingo ! We used directory traversal to change our path (../), and we have successfully included our index.php we can also include etc/passwd file on linux and get all server users or boot.ini file on windows.
but, like i said sometimes we can't include some files due to security, but here i will show you how to bypass lfi security and read codes using Local file inclusion !
4 - Bypass LFI Security And Some Tricks
First of all let's see how to bypass lfi security.
actually, there are 3 principale methods to bypass lfi security.
first of all let's image that we have this script :
<?
$file $_GET['file'];
include($file.".txt");
?>
Our script will be able to include only Text files, and we can't either include PHP or some important other files :-( don't worry here i will show you how to bypass this security.
You can see here, there is an error when including index.php file it says i can't include index.php.txt !
A - Null Byte
We can bypass the extension using a simple method by adding a null byte to the file () so it will be "index.php" but this method is not working yet, you can use it on some websites just for checking like here we can bypass the extension security using null byte
example : http://localhost/btslab/vulnerability/lfi/LFI.php?file=../../../index.php
B - Path Truncation
Path truncation is bypassing the php limits, for version lower than 5.3 on PHP we can use this method. just you have to add 4096 characters after the file name ( add 2050 /. after the file name)
for example : http://localhost/btslab/vulnerability/lfi/LFI.php?file=../../../index.php/./././././....[ 4096 ] /.
example :
if the truncation can't work just add "x/../" after the file name so it will be like this : "x/../index.php"
C - Dot Truncation
This Method Is working for windows only. it's like path truncation but replace /. with . like you see here :
So these are 3 methods to bypass lfi security, also you can use this python was made by our team to bypass lfi security
How can i execute or read php script using LFI ?
First let's start with excuting PHP script.let's try to include /proc/self/environ
so if you see the content of proc/self/environ on the page, that's mean you can execute your php code easily by changing your user agent into your PHP code , and you can change your user agent using many methods such as user-agent switcher extention for chrome and firefox.
Second, How can i read PHPfiles using LFI ?
we will use this trick using php://filter method
so our link will be : localhost/lfi.php?page=php://filter/convert.base64encode/resource=yourphpfile.php
then you will get the base64 encoded php code, you have just to decode it using many methods such us this websites which provide to you the abilities to encrypt and decrypt base64 encoded string.
Finaly, i wish that you understand this vulnerability and don't be shy to cantact us using our facebook page or just using comments and thanks.
EmoticonEmoticon