What is Local File Inclusion (LFI) Vuln#???

WHAT IS LFI (Local File Inclusion)?

 

 

 

 Ans:  Local File Inclusion (LFI) is a vulnerability that occurs when a web application allows users to include files on a server through the browser. This vulnerability arises due to improper validation or sanitization of user-supplied input, typically when the application uses file paths that are provided by the user in an unsafe manner.

 HOW LFI WORKS ?

File Path Manipulation: In an LFI attack, an attacker manipulates the file path that the application uses to include or load files.

By crafting a malicious input, such as ../../../etc/passwd, the attacker can trick the server into including sensitive files from directories that should be inaccessible.

Code Execution: If the included file contains executable code (e.g., a script or a configuration file with executable code), the attacker may execute arbitrary code on the server.

Information Disclosure: An attacker can read sensitive files, such as configuration files, logs, or other files that may contain usernames, passwords, or other sensitive data.

 

EXAMPLES: 

 1.Basics Code for 'LFI' Attack :

[

  <?php
$file = $_GET['page'];
include($file);
?>

] 

If a user accesses the URL http://example.com/index.php?page=about.php, the server includes and displays the about.php file. However, if the user changes the URL to http://example.com/index.php?page=../../etc/passwd , the server could include and display the contents of the /etc/passwd file, exposing sensitive information.

 

Real Scenario: 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In the above image , we can see that, Using [LFI] we have managed to extract the 

password from the server.

Mitigation Strategies:

1.  Input Validation: Always validate and sanitize user inputs. Do not trust user-supplied input for file paths.

2.  Use Whitelisting: Implement a whitelist of allowed files that can be included.

3. Disable Directories Traversal: Ensure that your application does not allow directory traversal (e.g., ../../).

 4. Error Handling: Properly handle errors and do not expose detailed error messages to users.

 

FAQ 

1. What is LFI ?

 

Ans:  Local File Inclusion (LFI) is a vulnerability that occurs when a web application allows users to include files on a server through the browser.

 

2. What is the use of LFI ? 

 

Ans:   *Reading Sensitive File ,  *Log Poisoning  ,  *Shell Access .

 

3. What is the full-form of LFI ?

 

Ans:  The full form of LFI is Local File Inclusion.

 

Thank you so much to reading this Blog.