In this post, We used the vulnerable web application Mutillidae to demonstrate local file inclusion vulnerability.
What Exactly is LFI?
So, what’s LFI all about? It’s a vulnerability you often find in PHP-based web applications. Essentially, it happens when an application uses user input to figure out which file to display on a web page. If the application isn’t careful about validating that input, an attacker can trick it into showing files it’s not supposed to.
How I Exploited It
In my demonstration, I showed how you can manipulate a URL parameter, in this case, the page parameter, to access restricted files and directories on the server.
For example, by changing the URL to include /etc/passwd, I was able to make the application display the contents of the passwd file. This is a sensitive file on Linux systems that contains user information, and it’s definitely not something that should be publicly accessible. This simple trick shows just how powerful an LFI vulnerability can be.
In the scenario, we notice the URL:
http://localhost/mutillidae/index.php?page=arbitrary-file-inclusion.php
The parameter page points to a php file. If there is no input validation that checks the user
input to the page parameter, then the user will be able to change the value ( in this case it is
arbitrary-file-inclusion.php) to any desired value. This raises the possibility of exposing
sensitive files on the target machine such as (/etc/passwd).
Lets take an example and try to reveal the content of /etc/resolv.conf. This file shows the
DNS configuration.
Lets take an example and try to reveal the content of /etc/resolv.conf. This file shows the
DNS configuration.
Payload
http://localhost/mutillidae/index.php?page=/etc/resolv.conf
Once local file inclusion is confirmed, we can reveal more sensitive files such as /etc/passwd
and /etc/shadows. We can copy the hashes and usernames in a file for later cracking offline.
Payload
http://localhost/mutillidae/index.php?page=/etc/passwd
http://localhost/mutillidae/index.php?page=/etc/shadow
LFI vs. RFI: What’s the Difference?
It’s important not to confuse LFI with its cousin, Remote File Inclusion (RFI). Here’s the difference:
- LFI (Local File Inclusion): This is all about accessing files and directories that are on the same server as the vulnerable application.
- RFI (Remote File Inclusion): This is when you trick the application into accessing a file that’s hosted on a different server, like one that you control.
How to Fix It
The good news is that LFI vulnerabilities are preventable. The key is to always validate user input and to set proper file permissions. You should never trust user input, and you should always make sure that users can only access the files and directories they’re supposed to.
