Local File Inclusion

GEEKHUB01
June 17, 2021

 LOCAL FILE INCLUSION:


INTRODUCTION

File Inclusion Vulnerabilities, Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.



Where LFI Found ?

Basically this the location:

http://example.com/preview.php?file=any.html

This is the place where an attacker can perform the LFI attack on web applications. The script can be included here in the URL that is containing various parameters upon which the attack will be performed. It is possible to include arbitrary files on the server. The affected URL by the attacker would be something like this:

http://example.com/preview.php?document=../../../../etc/passwd

Types of File Inclusion:

1.Local File Inclusion:

anyparameter=somelocalfile

ex- any.com/index.php?refere=login.php

2.Remote File Incusion:

anyparameter=remoteweb.com/file

ex- any.com/?share=http://facebook.com/status?id=12672

Impact Of File Inclusion :

1.code execution on server

2.code execution client side

3.dos attack

4.information disclosure

Possible  Parameter :

file    doc    data    to    navigation
document    dest    html    out    open
folder    redirect    validate    view    feed
root    uri    domain    dir    host
path    path    return    show    port
style    url    window    next    pdf

There Are Three Kinds Of Scenarios Possible In LFI Attack:

Including Files to be Parsed by the Language’s Interpreter
Including Files that are Printed to a Page
Including Files that are Served as Downloads

Impacts Of An Local File Inclusion Vulnerability:

1.Information Disclosure of files stored in Web Server
2.Remediation File Inclusion(LFI) Vulnerability

One should not allow the file path that could be modified directly either it should be hardcoded or to be selected via hardcoded path list.
One must make sure that the required should have dynamic path concatenation i.e must contain (a-z) (0-9) instead of (/, /% etc)
There should be specific limit the API so that only inclusion from directories under it work so that Directory Traversal attack could not take place in this situation.