File Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application.

The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a “reading” mechanism implemented in the target application

Local file Inclusion :

 Path traversal attacks, also known as the dot-dot-slash attack, take advantage of moving the directory one step up using the double dots ../. If the attacker finds the entry point, which in this case get.php?file=, then the attacker may send something as follows, http://webapp.thm/get.php?file=../../../../etc/passwd



Suppose there isn’t input validation, and instead of accessing the PDF files at /var/www/app/CVs location, the web application retrieves files from other directories, which in this case /etc/passwd. Each .. entry moves one directory until it reaches the root directory /. Then it changes the directory to /etc, and from there, it read the passwd file.

LocationDescription
/etc/issuecontains a message or system identification to be printed before the login prompt.
/etc/profilecontrols system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
/proc/versionspecifies the version of the Linux kernel
/etc/passwdhas all registered user that has access to a system
/etc/shadowcontains information about the system’s users’ passwords
/root/.bash_historycontains the history commands for root user
/var/log/dmessagecontains global system messages, including the messages that are logged during system startup
/var/mail/rootall emails for root user
/root/.ssh/id_rsaPrivate SSH keys for a root or any known valid user on the server
/var/log/apache2/access.logthe accessed requests for Apache  webserver
C:\boot.inicontains the boot options for computers with BIOS firmware

LFI Attack : 

http://taget.com/somethig.php?file= /etc/passwd<payload>

always try to put it on url

bypasses:

https://target.com/something.php?file=../../../../etc/passwd

https://target.com/something.php?file=../../../../etc/passwd%00

https://target.com/something.php?file=../../../../etc/passwd0x00

https://target.com/something.php?file=%2f..%2f..%2f..%2fetc/passwdhttps://target.com/something.php?file=%2f..%2f..%2f..%2fetc/passwd%00

Impacts of an Local File Inclusion Vulnerability: 

An attacker would be able to get access to the following by exploiting LFI Vulnerability:

  • Information Disclosure of files stored in Web Server
  • Passwords/Database Access
  • Log Files
  • Complete System Compromise

Remediation File Inclusion(LFI) Vulnerability:

  • One should not allow the file path that could be modified directly either it should be hardcoded or to be selected via hardcoded path list.
  • One must make sure that the required should have dynamic path concatenation i.e must contain (a-z) (0-9) instead of (/, /% etc)
  • There should be specific limit the API so that only inclusion from directories under it work so that Directory Traversal attack could not take place in this situation