LFI

Basic LFI

  • Look for URL parameters like language=en.php

    • This shows that when the language changes it brings back a file

    • the most common readable files to test with are

    • linux: /etc/passwd

    • windows: C:\Windows\boot.ini

Path Traversal

  • in some scenarios, the paramater may be the directory the file is in.

    • language=en.php would mean ./language/en.php

    • to test for this put the paramater before the file you want to test for

    • ./language//etc/passwd

    • if that does not work, directory traversal may be needed

    • ./language/../../../../etc/passwd

Filename Prefix

  • sometimes the paramater value could be prepended with something to give the real file name

  • to combat this in path traversal start with a / instead of ..

  • language=/../../../etc/passwd

Appended Extensions

  • sometimes the paramater value might have an extension appended on the end

  • this would make the file read as /etc/passwd.php

Second-Order Attacks

  • Second-order attacks occur because web app functionalities may be insecurely pulling files from the back-end server based on user-controlled parameters.

  • A web app may allow us to download our avatar through a URL file like"/profile/$username/avatar.png"

  • If we craft a malicious LFI username (../../../etc/passwd), then it may be possible to change the file being pulled to another local file on the server and grab it instead of our avatar

  • This would involve poisoning a database entry with a malicious LFI payload in our username

  • Another web app functionality would utilize this poisoned entry to perform our attack, hence being called a second order attack

PreviousLocal File InclusionNextBasic Bypass

Last updated