LFI

Local File Inclusion detection and exploitation techniques.


Detection

Exploitation

A LFI could allow you to execute arbitrary code by including files not supposed to be interpreted by the web server (s.a. PHP or ASP).

Example:

<?php system('id'); ?>
Upload

If you can find a way to upload your own files to the website, you can simply embed code within it and try to include it with the LFI.

Tip

The file does not have to respect the extension or MIME type of the code you’re trying to embed. For example, if you can only upload images, try to embed code at the end of the image file.

Log Poisoning

Most web servers will log all incoming requests to a local access log file. Logs usually include the requested URL or the Referer header, on which you have control and can try to include arbitrary code.

Example:

GET /<? phpinfo(); ?> HTTP/1.1
Host: vulnerable-website.com
Referer: <? phpinfo(); ?>

Depending on the web server and operating system, logs can be found at the following default locations:

Path Web Server OS
/proc/self/fd/<int> ALL ALL (symlink to the files opened by the running process)
/var/log/httpd/access_log/var/log/httpd/error_log Apache2 RHEL, CentOS, Fedora
/var/log/apache2/access.log/var/log/apache2/error.log Apache2 Debian, Ubuntu
/var/log/httpd-access.log/var/log/httpd-error.log Apache2 FreeBSD
/var/log/nginx/access.log/var/log/nginx/error.log NginX RHEL, CentOS, Fedora, Debian, Ubuntu

The same log poisoning technique could also be performed with SSH. However, those logs are usually readable by root only.

Example:

ssh -l '<? phpinfo(); ?>' vulnerable-website.com
Path OS
/var/log/secure RHEL, CentOS, Fedora
/var/log/auth.log Debian, Ubuntu, FreeNAS
User-Agent

For every running process on a Linux host, there is a /proc/self/environ file which contains the environment variables associated to it, including HTTP_USER_AGENT. This means that you can try to embed code and include it by tampering with the User-Agent header.

Example:

GET / HTTP/1.1
Host: vulnerable-website.com
User-Agent: <? phpinfo(); ?>

References