What is Local File Inclusion (LFI)?
What is Local File Inclusion (LFI)?
Local File Inclusion (LFI) is a high severity vulnerability which arises when application allows an attacker to include any local or internal file. Generally, with the practice of writing easy to maintain code, developers are using file inclusion features in the application. But, the problem arises when the application uses un-validated user input for the file to include. An attacker can use the file upload feature to upload a malicious file (like backdoor.php) and leverage LFI to include and execute that backdoor.
What attacker can do by exploiting LFI?
An attacker can exploit LFI to perform a few high-risk vulnerabilities like Cross-Site Scripting (XSS) and Remote Code Execution (RCE). If the attacker gets success in performing RCE, he can perform Command Injection and get complete access to the server via shell. While as we know if the attacker can perform XSS, he can steal sensitive information like sessions and tokens.
Example 1 - Inclusion of executable files:
Suppose an application including files from the GET parameter as shown in the following example:
https://vulnerablesite.com?filename=report.php
https://vulnerablesite.com?filename=report.php
Now, let's assume that the following code is used to load the report.php file from the GET parameter.
Now, let's assume that the following code is used to load the report.php file from the GET parameter.
$file_name = $_GET['filename'];
include('directory/' . $file_name);
$file_name = $_GET['filename'];
include('directory/' . $file_name);
include('directory/' . $file_name);
As we can observe, above code uses user input from the GET parameter without any validation or sanitization. The attacker can abuse this vulnerability by including the malicious local file which he has uploaded already as demonstrated in the following example:
As we can observe, above code uses user input from the GET parameter without any validation or sanitization. The attacker can abuse this vulnerability by including the malicious local file which he has uploaded already as demonstrated in the following example:
https://vulnerablesite.com?filename=../../../uploads/backdoor.php
https://vulnerablesite.com?filename=../../../uploads/backdoor.php
As we can see in the above example, the malicious backdoor file will be included and LFI is exploited.
As we can see in the above example, the malicious backdoor file will be included and LFI is exploited.
Example 2 - Inclusion of non-executed file:
Example 2 - Inclusion of non-executed file:
Suppose an application prints information from files from the GET parameter as shown in the following example:
https://vulnerablesite.com?logfile=18-01-2020.log
https://vulnerablesite.com?logfile=18-01-2020.log
The attacker can abuse this vulnerability by including the local file which contains sensitive information as we can see in the following example:
The attacker can abuse this vulnerability by including the local file which contains sensitive information as we can see in the following example:
https://vulnerablesite.com?filename=../../../etc/passwd
https://vulnerablesite.com?filename=../../../etc/passwd
As we can see in the above example, the passwd file will be printed and sensitive information is disclosed.
As we can see in the above example, the passwd file will be printed and sensitive information is disclosed.
Example 3 - Downloading unaccessible file:
Example 3 - Downloading unaccessible file:
Suppose an application allows a user to download the file from the GET parameter as shown in the following example:
https://vulnerablesite.com?download=report.csv
https://vulnerablesite.com?download=report.csv
If this feature is vulnerable to LFI, The attacker can abuse this vulnerability by downloading the local file which not accessible otherwise as shown in the following example:
If this feature is vulnerable to LFI, The attacker can abuse this vulnerability by downloading the local file which not accessible otherwise as shown in the following example:
https://vulnerablesite.com?filename=../../../Include/configuration.php
https://vulnerablesite.com?filename=../../../Include/configuration.php
As we can see in the above example, the configuration file will be printed and sensitive information like database connection configuration will be disclosed.
As we can see in the above example, the configuration file will be printed and sensitive information like database connection configuration will be disclosed.
How to prevent LFI?
How to prevent LFI?
A developer can prevent the LFI using several ways:
- Whitelisting allowed filenames.
- Restricting path traversal.
- Storing the path in the databases and using IDs instead of file path or filename.
- Restricting executable permission of directories like upload, download, etc.
- Whitelisting allowed filenames.
- Restricting path traversal.
- Storing the path in the databases and using IDs instead of file path or filename.
- Restricting executable permission of directories like upload, download, etc.
0 Comments