Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities.

For example, a PHP script :
foo.php?file=image2.jpg

An attacker would replace image2.jpg with a directory traversel payload:
foo.php?file=../../../../../../../etc/passwd

Or other sensitive files within the webserver itself. Exposing configuration files or other sensitive informations.

In some cases it´s possible to run system executables and get Command Execution via LFI. E.g. Log Poising or via PHP Wrappers.

PHP Wrappers

PHP Wrapper expect://

PHP Wapper php://input

Here your Payload is sent in the HTTP POST Body.

HTTP POST Body Payload

Hosting a php reverse shell payload from attacker host.

Another PHP Wrapper is filter.

php://filter

In this example the output is encoded in Base64, enabling you to read files by decoding the outbut.

Log Poisoning and Code Execution

If it´s possible to include a log file e.g apache log files, /proc/self/environ or /proc/self/fd/xx where xx would need to by fuzzed with e.g. FuzzDBs list “LFI-DF-Check.txt”. Then it might be possible to get Code Execution. By sending PHP Code in the User-Agent field or Refferer header or similar. When log file is included it would include the PHP code and provide Code Execution.

Sending following PHP code in our payload would allow us to execute system commands in vulnerable script, e.g. . foo.php?file=../../../../../../../etc/passwd&cmd=id

Note. If PHP functions is disabled as System, it might be able to receive execution via other php functions, e.g. shell_exec

 

Local File Inclusion (LFI)
Tagged on: