Preventive Measures /Mitigation
LFI: A LFI attack aims to access files and directories that are stored outside the Web-root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system file.
Its severity based on what information is stolen. A successful LFI attacks leads to XSS and RCE. Whenever application takes file path input that time attacker try to inject malicious shell to execute their script. So why it happens because web-application allows submitting input into files or upload files to the server.
Now if in the above case if server is running with high privileges, attacker is able to get sensitive information from the server. For traversal we used ‘../’ characters, the number of ‘../’ sequences depend on the configuration and location of the target web server on the victim machine.
Some of interesting files generally attacker look (but not limited to)
Types of inclusion:
RFI: When web application downloads and executes a remote file. For RFI 2 functions should be enabled in PHP’s configuration file.
This usually doesn’t happens because most of the server disabled these functions by default.
LFI: Same as RFI but here we do not include remote files.
· Attacker inserts payload to web application.
· As web application does not have any validation web application process that payload.
· So now attacker gets the output with the file he want to fetch from the server.
Working: Consider a website “testsite.com” that displays images using the following
HTML IMG tags
The “filename” parameter takes the name of the image and returns the content of the“logo.png”.The images are stored in the location/var/www/images/.”Filename” parameter fetches the image from the following path:
Since the value of “filename” parameter is directly used without any validation to fetch the image. The attacker tampers the value of the “filename” parameter to read other files on the server.
This induces the application to read from the following path:
The three consecutive../sequences step up from location/var/www/images/ to the file system/root/, so an attacker can read sensitive file i.e./etc/passwd instead of image file.
We have one application where which has a parameter which is used to fetch the file from the server. So we have to exploit this functionality to get the sensitive information from the server.
This is the main screen. Now when I click on” sysadm” tab.
I observed changes in URL and there are two parameter one have the folder name and other is the file saved in that folder.
Now I click on index.html file. These parameters get changed.
· Files = needs directory name
· F = needs file name
Both parameter are not sanitized and takes any value. So as I try to replace the value of files parameter value with ../ Notation. I got some folders in the root directory.
So there are 4 directories and their names are “text.gif”, ”admin”, ”files”, ”index.php”.
Now we will pass the admin in the folder parameter with../ Notation to check the files in the directory.
As soon as I did this it shows that there is a file in the admin directory name as index.php.
After doing so I passed the”../admin” in the folder parameter and “index.php” in the file name parameter.
When I apply these changes in URL I was able to get the “index.php” of the “admin” which contains the login username and password of admin.
Since the application is processing all the parameters without any filtration, I was able to access the sensitive files on the server.
This can lead to authentication bypass and other sensitive information leakage.
Preventive Measures /Mitigation:
· Prefer using file-system calls to function without user input.
· Sanitize file name parameters and do not allow paths (../) to be included in the file name or user input.
· Validate the user’s input by only accepting known good.
· Implement strict code access policies to restrict where files can be saved.