File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application.
The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a “reading” mechanism implemented in the target application
Local file Inclusion :
Path traversal attacks, also known as the dot-dot-slash attack, take advantage of moving the directory one step up using the double dots ../. If the attacker finds the entry point, which in this case get.php?file=, then the attacker may send something as follows, http://webapp.thm/get.php?file=../../../../etc/passwd
Suppose there isn’t input validation, and instead of accessing the PDF files at /var/www/app/CVs location, the web application retrieves files from other directories, which in this case /etc/passwd. Each .. entry moves one directory until it reaches the root directory /. Then it changes the directory to /etc, and from there, it read the passwd file.
| Location | Description |
| /etc/issue | contains a message or system identification to be printed before the login prompt. |
| /etc/profile | controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived |
| /proc/version | specifies the version of the Linux kernel |
| /etc/passwd | has all registered user that has access to a system |
| /etc/shadow | contains information about the system’s users’ passwords |
| /root/.bash_history | contains the history commands for root user |
| /var/log/dmessage | contains global system messages, including the messages that are logged during system startup |
| /var/mail/root | all emails for root user |
| /root/.ssh/id_rsa | Private SSH keys for a root or any known valid user on the server |
| /var/log/apache2/access.log | the accessed requests for Apache webserver |
| C:\boot.ini | contains the boot options for computers with BIOS firmware |
LFI Attack :
http://taget.com/somethig.php?file= /etc/passwd<payload>
always try to put it on url
bypasses:
https://target.com/something.php?file=../../../../etc/passwd
https://target.com/something.php?file=../../../../etc/passwd%00
https://target.com/something.php?file=../../../../etc/passwd0x00
https://target.com/something.php?file=%2f..%2f..%2f..%2fetc/passwdhttps://target.com/something.php?file=%2f..%2f..%2f..%2fetc/passwd%00
Impacts of an Local File Inclusion Vulnerability:
An attacker would be able to get access to the following by exploiting LFI Vulnerability:
- Information Disclosure of files stored in Web Server
- Passwords/Database Access
- Log Files
- Complete System Compromise
Remediation File Inclusion(LFI) Vulnerability:
- One should not allow the file path that could be modified directly either it should be hardcoded or to be selected via hardcoded path list.
- One must make sure that the required should have dynamic path concatenation i.e must contain (a-z) (0-9) instead of (/, /% etc)
- There should be specific limit the API so that only inclusion from directories under it work so that Directory Traversal attack could not take place in this situation
