Local File Inclusion #14
Description
/*
Title: Local File Inclusion
Description: Search engine meta data about the finding
*/
- LAST UPDATED DATE: 12 - 13 - 15
- LAST UPDATED BY: Mike Hodges
Summary
Local File Inclusion (LFI) allows the attacker the include files that are already locally present on the server
through the exploitation of a flawed file inclusion procedure.
Capabilities and Risk
- Could allow attackers to access arbritrary files on the system leading to
potential information information disclosure - In more serious cases, LFI, can lead to remote code execution on the server and
complete compromise of the system. (https://www.exploit-db.com/papers/12886/)
Detection
- Identify scripts that take filenames as parameters
- Use directory traversal sequences in the filename parameter in order to access
a file that is known to be present on the system - If not immediately successful, attempt to identify the filter being used
and craft input that attempts to bypass it
Remediation
Implement file inclusion procedures that properly sanitize all input.
References
- https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
- http://hakipedia.com/index.php/Local_File_Inclusion
- https://www.exploit-db.com/papers/12886/
Exploitation
Consider the code below (Credit: owasp.org)
The code is normally used like this:
http://vulnerable_host/preview.php?file=myFile
However an attacker can exploit the lack of sanitization by using null-byte terminators, %00, to effectively end the string before .php is added:
http://vulnerable_host/preview.php?file=../../../../etc/passwd%00
This would results like the following:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash