Exploitation: LFI

Preventive Measures /Mitigation


LFI: A LFI attack aims to access files and directories that are stored outside the Web-root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system file.

Its severity based on what information is stolen. A successful LFI attacks leads to XSS and RCE. Whenever application takes file path input that time attacker try to inject malicious shell to execute their script. So why it happens because web-application allows submitting input into files or upload files to the server.

Now if in the above case if server is running with high privileges, attacker is able to get sensitive information from the server. For traversal we used ‘../’ characters, the number of ‘../’ sequences depend on the configuration and location of the target web server on the victim machine.

Some of interesting files generally attacker look (but not limited to)

Linux machine
— /proc/version
— /etc/profile
— /etc/passwd
— /etc/shadow

Types of inclusion:

RFI: When web application downloads and executes a remote file. For RFI 2 functions should be enabled in PHP’s configuration file.

· allow_url_fopen

· allow_url_include

This usually doesn’t happens because most of the server disabled these functions by default.

LFI: Same as RFI but here we do not include remote files.


Image for post
Image for post

· Attacker inserts payload to web application.

· As web application does not have any validation web application process that payload.

· So now attacker gets the output with the file he want to fetch from the server.

Working: Consider a website “” that displays images using the following


<img src=”/images.php?filename=logo.png”>

The “filename” parameter takes the name of the image and returns the content of the“logo.png”.The images are stored in the location/var/www/images/.”Filename” parameter fetches the image from the following path:


Since the value of “filename” parameter is directly used without any validation to fetch the image. The attacker tampers the value of the “filename” parameter to read other files on the server.

This induces the application to read from the following path:


The three consecutive../sequences step up from location/var/www/images/ to the file system/root/, so an attacker can read sensitive file i.e./etc/passwd instead of image file.

Exploiting LFI:

We have one application where which has a parameter which is used to fetch the file from the server. So we have to exploit this functionality to get the sensitive information from the server.

Image for post
Image for post

This is the main screen. Now when I click on” sysadm” tab.

Image for post
Image for post

I observed changes in URL and there are two parameter one have the folder name and other is the file saved in that folder.

Now I click on index.html file. These parameters get changed.

Image for post
Image for post

· Files = needs directory name

· F = needs file name

Both parameter are not sanitized and takes any value. So as I try to replace the value of files parameter value with ../ Notation. I got some folders in the root directory.

Image for post
Image for post

So there are 4 directories and their names are “text.gif”, ”admin”, ”files”, ”index.php”.

Now we will pass the admin in the folder parameter with../ Notation to check the files in the directory.

As soon as I did this it shows that there is a file in the admin directory name as index.php.

After doing so I passed the”../admin” in the folder parameter and “index.php” in the file name parameter.

Image for post
Image for post

When I apply these changes in URL I was able to get the “index.php” of the “admin” which contains the login username and password of admin.

Since the application is processing all the parameters without any filtration, I was able to access the sensitive files on the server.

This can lead to authentication bypass and other sensitive information leakage.

Preventive Measures /Mitigation:

· Prefer using file-system calls to function without user input.

· Sanitize file name parameters and do not allow paths (../) to be included in the file name or user input.

· Validate the user’s input by only accepting known good.

· Implement strict code access policies to restrict where files can be saved.

Written by

Security enthusiast working to secure web for others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store