Local File Inclusion
Local file inclusion is web based vulnerability in which the attacker can put any file on the place of other file in the run time.LFI is a file based vulnerability. The hacker can execute his file on the server and get access of the user system with the help of this attack.In LFI ,the attacker execute that file which is already present on the web-server.
Reason for happening:- File inclusion is become part of every server side language on the web. They provide the file systems and also download facilities. So to maintain these websites is a very big responsibility for the web developer. Though if it not maintain properly, attacker can exploit them.
Different scenarios where LFI implements by the hacker:-
1. File to be parsed by language interpreter:-
For storing the big data of the website the developer put all the files in different modules. It is very essential to store the data in such a way for better utilization of the database. To tell about a file to the interpreter a correct path of file is specified and pass to the function.
The function will open this file and include it inside the document(website).
But there is risks of Local file inclusion vulnerability. If the developer fails to do proper filtering in the site then attacker can exploit the Local File Inclusion vulnerability and put the sensitive file on the place of actual file.
Directory Traversal:-
Through the exploitation of local file inclusion vulnerability , the attacker can perform directory traversal attack also.
The attacker also take access of other files on the web server which are also very important for the developer like web server log files.
With the help of this attack the attacker also read the content of hidden configuration files containing passwords and other user sensitive information.
2. Files that served as downloads:-
Some files are automatically open when we open by the browser. If you want to do download rather than showing them you add additional header to perform this action. Then browser will do download instead of opening them.
But here is also risk of Local File Inclusion vulnerability that if the their is no prefect sanitation of the request, the hacker could request the downloads of files and then he is able to read the source code also read critical and informational data .
If the attacker find the database user and password he can remotely access the database.
How to Test:-
Now it's time to do some practical work instead of theory part. Now question arise how we test this vulnerability. It is very simple task. You just have to follow some steps for test this vulnerability.
You can do this in two type first with manually and other with the commands.
So for testing thisvulnerability we need some tools in our system.
So first we start with manually on the windows OS.
Procedure for Windows OS:-
1. Take any site for example testphp.vulnweb.com.
2. Send the site on the tool and from their send the site for spider which is also important function of Burp Suite.
Use of Spider:-
Through with the help of spider we know about all the links and subdomains of the main website and structure become to know about the entire website.
3. Now Filter the site with the help of **--show only scope item--** and again send to the host spider to the website.
4. Now Go to Burp and search for any file type with in scope only .
5. Now search for any database files such as jpeg,pdf,gif extension files. And then send them to the repeater.
6. Now we can check this vulnerability with the help of some keywords:-
/etc/passwd
../etc/passwd
../../etc/passw
../../../etc/passwd and so on.
If you cant get access you also try for
/etc/shadow
../etc/shadow and so on.
You also can download this script from git hub LFI suite payloads.
7. Now see the response in browser that we get information about user or not?
Procedure For kali:-
1. In kali linux terminal we first go into LFI Suite and run python file named lfsuite.py.
2. Now press one for exploiter and then you asked for just proxy and you have to type no.
3. Then you have to select Auto-hack option.
4. And then type full url of site.
5. Then the LFI Suite tool automatically detect you that file is vulnerable from which payload.
Ways to preventing LFI vulnerability in your web:-
It is responsibility of the web developer to develop a secure websites from all these types of vulnerabilities. But LFI vulnerability is come in the list of most advanced and dangerous vulnerabilities. In fact the LFI vulnerability was listed in the OWASP top 10 list of critical web vulnerabilities. So it is very important to follow bellow tips for secure the web.
1. Save every file with the id in the data base so that user only can access the id of the file not the proper path of the file in the database.
2. Use the white list of all the files and ignore other files and path.
3. Store as most as possible files on the database instead of web server.
4. Instruct the server not execute the file into the specific directory like root/downloads/. Instead of this send the direct download header.
Author: Rohit Jolly