1.Local File Inclusion (LFI)

Key Takeaways: Local File Inclusion (LFI) Attacks

Basic LFI

• Exploits a parameter that directly includes a file.

• Example:

  ### Directly includes a file based on user input
  include($_GET['language']);

  • Allows reading local files by manipulating the parameter.

Path Traversal

• Bypasses directory restrictions using relative paths (../).

• Example:

  ### Uses relative path traversal to escape intended directory
  include("./languages/" . $_GET['language']);

  • Enables escaping the intended directory to access other files.

Filename Prefix Handling

• Some applications prepend a prefix to included filenames.

• Example:

  ### Bypassing filename prefix by treating it as a directory
  include("lang_" . $_GET['language']);

  • Can be bypassed by using / to treat the prefix as a directory.

Appended Extensions Bypass

• Some implementations append extensions like .php.

• Example:

  ### Bypassing appended extensions
  include($_GET['language'] . ".php");

  • Common bypasses include null byte injections and PHP wrappers (discussed below).

Second-Order LFI

• Occurs when LFI is exploited through indirect user input (e.g., database entries).

• Example:

  ### Injecting LFI payload via user-controlled database input
  $username = getUsernameFromDB($_GET['id']);
  include($username);

  • Highlights the importance of sanitizing all user-controlled data.

Platform Agnostic Nature

• LFI techniques apply across various backend languages and frameworks.

---

Additional Considerations

Null Byte Injection (Older PHP)

• In older PHP versions, appending a null byte (%00) could truncate the filename and bypass appended extensions.

• Example:

  ### Exploiting null byte injection to bypass extension appending
  include("/etc/passwd%00");

  • This is less effective in modern PHP versions.

PHP Wrappers and Filters

• PHP wrappers like php://filter allow encoding/decoding files, enabling attackers to read source code even if it’s executed.

• Example:

  ### Using PHP wrappers to read source code
  include("php://filter/convert.base64-encode/resource=index.php");

Log File Poisoning

• Attackers can inject data into log files and later include those logs using LFI to execute arbitrary code.

• Often used for achieving Remote Code Execution (RCE).

Error Handling

• Detailed error messages should be disabled in production environments.

• Attackers can leverage errors to map the server's file structure.

Input Sanitization

• Proper validation and sanitization of user input prevent LFI vulnerabilities.

• Whitelisting allowed characters and file paths is a best practice.

Security Headers

• While not a direct mitigation, security headers add an additional layer of defense against exploitation.