Recently, I took more than 40 interviews, and while most of the candidates said they knew about LFI, many didn't know about difference between directory traversal and LFI. How to exploit an LFI.
Hence, I thought of writing this blog. There are multiple ways of exploiting Local File Inclusion vulnerability, if not a hundred ways. I have written this blog considering the application is in PHP.
- Using data wrapper (Available since php 5.2.0)
- Via File wrapper (Available since php 5.0.0). But the trick is you have to specify the full path of the file.
- Via expect wrapper(not enabled by default, available since 4.3.0)
example: php?page=expect://ls
- Via input stream(Available since 5.0.0)
The trick is to use the input stream and send the payload in the post request body.
- Via Zip wrapper( since php 4.3.0)
I have already covered the tricky techniques, and many people have already covered the below-given techniques. So I won't dive into details.
- Via /proc/self/fd/
In this technique, you upload too many shells and try to brute force process no.
/Proc/self/fd/{no}
- proc environ injection
In this technique, we try to include the environment variable and send the payload via useragent.
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
- Log poisoning
There are multiple ways logs can include your payload, for example, auth.log(ssh login) , vsftp.log(ftp login) , and access.log (via useragents) Check which log you can include, and then proceed accordingly.
- Email tricks
Similarly, if smtp mail relay is allowed, you can include /var/mail/user and send a mail with your payload to the user.
- Via php Sessions
PHP5 stores it’s session files under /var/lib/php5/sess_[PHPSESSID] . So you can set a cookie to payload and include the sessionid.
