Local File Inclusion (LFI)

Description

During the scan, Kayran managed to find the Local File Inclusion (LFI) vulnerability.
This Local File Inclusion or LFI, is a vulnerability based on the way of getting or processing local files on the server by the local path.
In most cases, it’s caused by a PHP “include” function. The attacker has to upload the malicious script to the target server to be executed locally.

An attacker could exploit this vulnerability by finding certain, possibly sensitive files by their paths in the vulnerable parameter. An attacker may use these files to conduct further attacks.

LFI means that even unauthorized personal has access to files on the system. Attackers will abuse it to include files on a server through the web browser. Allowing him to manipulate the input and inject path traversal characters, and, possibly include other files from the webserver. The best way to deal with this vulnerability will be to “hardcode” all files you that needs to be included. Example of a code vulnerable to LFI :
if (isset($_GET[‘file’])) {
include($_GET[‘file’]); }

Recommendation

To prevent this vulnerability from happening, make sure that the input coming from the user is valid. Also, that it does not contain any unwanted, potential malicious inputs from the user by whitelisting the files in question.

References

https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/

< Return to all Vulnerabilities


Active Directory Hacking

What does Active Directory mean? The Active Directory infrastructure is a critical infrastructure in most organizations, and it forms the backbone of the organization’s computing

Read More »