The definitive guide for LFI vulnerability security testing for bug hunting & penetration testing engagements.
Introduction
The intent of this document is to help penetration testers and students identify and test LFI vulnerabilities on future penetration testing engagements by consolidating research for local file inclusion LFI testing techniques. LFI vulnerabilities are typically discovered during web app pen tests using the techniques contained within this document. Additionally, some of the techniques mentioned in this paper are also commonly used in CTF style competitions.
Main Chapters
- What is a Local File Inclusion (LFI) vulnerability?
- Identifying LFI Vulnerabilities within Web Applications
- PHP Wrappers
-
LFI via /proc/self/environ - Null Byte Technique
- Truncation LFI Bypass
- Log File Contamination
- Email a Reverse Shell
What is a Local File Inclusion (LFI) vulnerability?
Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.
The following is an example of PHP code vulnerable to local file inclusion.
<?php
$file = $_GET[‘file’];
if(isset($file))
{
include(“pages/$file”);
}
else
{
include(“index.php”);
}
?>
Identifying LFI Vulnerabilities within Web Applications
LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web server is a good candidate for further LFI testing, for example:
/script.php?page=index.html
A penetration tester would attempt to exploit this vulnerability by manipulating the file location parameter, such as:
/script.php?page=../../../../../../../../etc/passwd
The above is an effort to display the contents of the /etc/passwd file on a UNIX / Linux based system.
Below is an example of a successful exploitation of an LFI vulnerability on a web application:
PHP Wrappers
PHP has a number of wrappers that can often be abused to bypass various input filters.
PHP Expect Wrapper
PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default.
php?page=expect://ls
The payload is sent in a POST request to the server such as:
/fi/?page=php://input&cmd=ls
Example using php://input against DVWA: