What is Local File Inclusion (LFI)?
This is a vulnerability commonly found to affect web application that rely on a scripting run time. Local File Inclusion (LFI) or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionally that dynamically includes local files or scripts.
LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution.
An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.
How does Local File Inclusion Work?
Usually, the path of the file that you want to open is sent to a function that can then return the content of the file as a string, print it on the current web page, or include it into the document and parse it as application code in the relevant language.
The following is an example in PHP that is vulnerable to Local File Inclusion (LFI).
/**
* Get the filename from a GET input
* Example - http://example.com/?file=filename.php
*/
$file = $_GET['file'];
/**
* Unsafely include the file
* Example - filename.php
*/
include('directory/' . $file);
In the above example, an attacker could make the following request to trick the web application into executing a malicious script such as a webshell that the attacker managed to upload to the web server.
Here’s an example of a vulnerable PHP code that could lead to LFI:-
https://example.com/?page=filename.php
Here, the file uploaded by the attacker will be included and run as the user running the web app.In this way the attacker to run any code they wanted on the web server.
All the things work successfully when the attacker get the access into the website
Protecting Against LFI Attacks
The simplest method/way to eliminate LFI vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.