Local File Inclusion (LFI) is a vulnerability that allows an attacker to read files from a server they should not have access to. This can lead to to the exposure of sensitive information and often enables the attacker to progress further towards their goals. It’s usually exploited when an application does not validate user-supplied input correctly, allowing the attacker to manipulate the path to a file rather than just the filename itself as often intended.
Understanding Local File Inclusion
A typical example of LFI can be seen in web applications that use file paths in their URL to load content. An application might load a page like http://www.example-site.com/index.php?page=about. Here, the page’s content is included from the file about.php on the server.
An attacker can potentially manipulate this to include files from elsewhere on the server. For example, if an attacker changes the URL to the one below, the application might return the contents of the /etc/passwd file.
Example 1: Exploiting a Direct LFI Vulnerability
Similar to the example in the previous section, we have an application with the URL http://www.tcm-sec.com/index.php?page=contact. To test for an LFI vulnerability, we can send the following request:
If the content of /etc/passwd is returned, then the application is vulnerable to LFI.
Example 2: Using PHP filter to Bypass Simple Protections
Some applications may attempt to prevent LFI by blocking certain characters. However, these can sometimes be bypassed using certain wrappers built into PHP. For example, PHP filter allows you to apply filters to a file before it’s read.
To use this to exploit an LFI vulnerability, you might load the URL:
This attempts to include the config.php page, but first applies the convert.base64-encode filter, encoding the content in Base64. If successful, the server would return the base64-encoded content of config.php, which can be decoded and potentially reveal sensitive information.
Mitigating Local File Inclusion Vulnerabilities
Input validation: Avoid using user-supplied input to form file paths. If you must, validate the input thoroughly to ensure it does not escape the intended directory. Allowlisting specific file names or identifiers, rather than accepting arbitrary paths, can be a good approach.
Least privilege: The web server should operate with the least privilege necessary. It should not have access to files outside of the web root.
Disable dangerous PHP features: Certain features in PHP, like include(), require(), and fopen(), can be abused to include files from arbitrary locations. If possible, disable these features or limit their functionality.
Regular updates and patching: This is particularly important if you are running a CMS like WordPress.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PWPA and PWPP certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.