Local File Inclusion
PRACTICE ! PRACTICE ! PRACTICE !
Suppose for an example, we could render an image
from a website which runs an application in the backend.
Ususally images are loaded to render via some html links and the below code explains
The loadImage
takes a filename parameter and returns a content of the specified file.
In Linux, the images are stored in a permanent disk
/var/www/images
by default
Sample example of a Linux and Windows based LFI exploit !
1. Absolute Path Name
Now when we try to use the dots
and slashes
sequence, we get a 404 error saying it's not found. This means the application which is running in the background strips
or blocks
directory traversal sequence from the user-supplied filename that is :)
It blocks the dot
sequence, which makes us even more easy to exploit it by just giving the exact filesystem path such as => /etc/passwd
.
2. Nested Traversal Sequence
If the previous two methods don't work, we can try a series of Nested Traversal Sequence of dots
and slashes
.
....//
or ....\/
Which will simply, revert travel sequences when the inner sequence is stripped by the backend.
NOTE => The sequence must be two dots
and slashes
.
3. Double Encoding the Sequence
If none of the above methods work, then we'll have to end up encoding
our sequential payload.
The filename parameter of a
multipart/form-data
request strips the directory sequence before passing it to the backend, It then performs a URL-decode of the input before using it.
To bypass this kind of sanitization, we can double encode our characters.
Various non-standard encodings, such as ..%c0%af
or ..%ef%bc%8f
, may also work in some cases.
4.Using the Base Folder's Path
5. File Path Traversal via NULL Byte
If the backend sanitizes the user supplied input with respect to the specified extension then we'll have to use the NULL Byte %00
to effectively terminate file path before the required extension.
Last updated