Secondary Categories: 02-Web Application


Description:

There are two different types of File Inclusion attack methods one is local and the other is remote. In regards to LFI the attacker is able to retrive a file that is locally stored on the victims machine which is usually a web server hosting a website. The other type of file inclusion attack method is RFI and this attack method is triggered when an the web server is retriving external files from the victim machine.

  • Local File Inclusion (LFI):

    • A piece of vulnerable code would look something similar to what is seen below.
    <?php
    $template =$_GET['template'];
    include("/".$template .".php"); //<-- Vulnerable !!
    ?>

    As you can see the code above the code is including a php file from the current directory. Usually on linux web servers the web directory is in /var/www/ folder. If the attacker was targeting a linux web server then we can try to retrieve files from the system such as /etc/shadow which contains the users and their respective password hash. In order to retrieve local files the way we would retrieve the file would be similar to traversing the file system or changing directories like so β€œcat ../../../../etc/shadow”. This linux command will output the shadow to the webserver page. So the attacker would uses something similar to:

    http://vulnsite.com/index.php?template=../../../../../etc/shadow

    A %00 is usually added to the end of the URL to tell the web server that this is a NULL character and everything after the %00 is voided or ignored.


Resources:

TitleURL
placeholder

Also Check Out:

  • Placeholder