Local File Inlcusion(LFI)-page-1

Local File Inclusion (LFI) is finding of a particular “local” file in the web server which could be used possibly to compromise the security of the website.

Suppose, there is a website http://example.com/test.php?page=ab.php where it is calling the content of ab.php using the page parameter.

This vulnerability mainly occurs when the web developer tries to include a file using the GET parameter without proper checks.

One example of vulnerable code is

<? php

$page = $_GET[page];

include($page);

?>

It means ab.php is called in this url. Now what happens when instead of ab.php, we try to call another file on the same web server. Given the condition that it’s a UNIX box, we may try looking for some default files, such as /etc/passwd.

The URL to call this file from the disk would be

http://example.com/test.php?page=../../../etc/passwd

../in particular moves us one directory upwards. So, first of all, we go to the root directory ( / ) 

, and then we navigate to the etc folder, to get the passwd file.  The /etc/passwd file is a text file, that contains a list of the system's accounts for each account some useful information like

user ID, group ID, home directory, shell, etc.

The content of /etc/passwd is in the form :

Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell

Following is a sample output, you may get to see in the /etc/passwd file :

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

But suppose in some scenario, the web developer knows about a vulnerability called LFI, and he decides to append a “.php” to the end of every file asked for. In that case, we would use what is known as Null Byte. Null Byte is a byte consisting of 8 zeroes or 0x00 in hexadecimal.

So, to bypass the null byte appending, we just use null byte in such a way that the server doesn’t reads the .php extension which gets appended to our filename. http://example.com/test.php?page=../../../etc/passwd%00


 

<< Prev | Next >>

Home | Notes Catalog | Privacy & Terms | About us | Contact us | Site map |     Copyright © Notesbin.com 2016.                                     Template by WebThemez.com