File Inclusion
Notes about some basic File Insclusion attack
Playground
Dangerous Function
Function | Read Content | Execute | Remote URL |
PHP | |||
| β | β | β |
| β | β | β |
| β | β | β |
| β | β | β |
NodeJS | |||
| β | β | β |
| β | β | β |
| β | β | β |
Java | |||
| β | β | β |
| β | β | β |
.NET | |||
| β | β | β |
| β | β | β |
| β | β | β |
| β | β | β |
Local File Inclusion (LFI)
Local File Inclusion (LFI) is a type of vulnerability where an attacker can exploit a web application to include files that are already present on the server. By manipulating input parameters, such as URLs or form fields, the attacker can trick the application into loading files from the local file system, potentially accessing sensitive information or executing malicious code.
Basic LFI Payloads
Command | Description |
---|---|
| Basic LFI |
| LFI with path traversal |
| LFI with name prefix |
| LFI with approved path |
| LFI with Base64 Filter |
| LFI with Null byte |
Log Poisoning to RCE
Access Log Location
Apache:
Nginx:
/var/log/nginx/access.log
LFI to RCE
Remote File Inclusion (RFI)
In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow_url_include setting to be enabled.
Automation
Tools
LFImap
WordLists
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
References
Last updated