Local File Inclusion
PRACTICE ! PRACTICE ! PRACTICE !
Suppose for an example, we could render an image from a website which runs an application in the backend.
Ususally images are loaded to render via some html links and the below code explains
The loadImage takes a filename parameter and returns a content of the specified file.
In Linux, the images are stored in a permanent disk
/var/www/imagesby default
Sample example of a Linux and Windows based LFI exploit !
1. Absolute Path Name
Now when we try to use the dots and slashes sequence, we get a 404 error saying it's not found. This means the application which is running in the background strips or blocks directory traversal sequence from the user-supplied filename that is :)
It blocks the dot sequence, which makes us even more easy to exploit it by just giving the exact filesystem path such as => /etc/passwd.
2. Nested Traversal Sequence
If the previous two methods don't work, we can try a series of Nested Traversal Sequence of dots and slashes.
....// or ....\/
Which will simply, revert travel sequences when the inner sequence is stripped by the backend.
NOTE => The sequence must be two dots and slashes.
3. Double Encoding the Sequence
If none of the above methods work, then we'll have to end up encoding our sequential payload.
The filename parameter of a
multipart/form-datarequest strips the directory sequence before passing it to the backend, It then performs a URL-decode of the input before using it.
To bypass this kind of sanitization, we can double encode our characters.
Various non-standard encodings, such as ..%c0%af or ..%ef%bc%8f, may also work in some cases.
4.Using the Base Folder's Path
5. File Path Traversal via NULL Byte
If the backend sanitizes the user supplied input with respect to the specified extension then we'll have to use the NULL Byte %00 to effectively terminate file path before the required extension.
Last updated
