Local File Inlcusion(LFI)-page-1
Local File Inclusion (LFI) is finding of a particular “local” file in the web server which could be used possibly to compromise the security of the website.
Suppose, there is a website http://example.com/test.php?page=ab.php where it is calling the content of ab.php using the page parameter.
This vulnerability mainly occurs when the web developer tries to include a file using the GET parameter without proper checks.
One example of vulnerable code is
$page = $_GET[page];
It means ab.php is called in this url. Now what happens when instead of ab.php, we try to call another file on the same web server. Given the condition that it’s a UNIX box, we may try looking for some default files, such as /etc/passwd.
The URL to call this file from the disk would be
../in particular moves us one directory upwards. So, first of all, we go to the root directory ( / )
, and then we navigate to the etc folder, to get the passwd file. The /etc/passwd file is a text file, that contains a list of the system's accounts for each account some useful information like
user ID, group ID, home directory, shell, etc.
The content of /etc/passwd is in the form :
Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell
Following is a sample output, you may get to see in the /etc/passwd file :
But suppose in some scenario, the web developer knows about a vulnerability called LFI, and he decides to append a “.php” to the end of every file asked for. In that case, we would use what is known as Null Byte. Null Byte is a byte consisting of 8 zeroes or 0x00 in hexadecimal.
So, to bypass the null byte appending, we just use null byte in such a way that the server doesn’t reads the .php extension which gets appended to our filename. http://example.com/test.php?page=../../../etc/passwd%00