19 Jan, 2023

Localfile include

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

LFI (Local File Inclusion) vulnerability refers to a security weakness or exploit that can be used to gain unauthorized access to a file stored on a user’s local device or computer. These vulnerabilities can be caused by a variety of factors, such as software bugs, outdated software, or poor system configuration. Exploiting a local file vulnerability can allow an attacker to gain access to sensitive information stored on the local device, execute malicious code, or compromise the entire system. It is important to identify and address local file vulnerabilities in order to protect a user’s data and maintain the security of their device.

Examples of local file vulnerabilities include:

Unquoted service paths: Windows service executable paths that are not enclosed in quotes, if the path contains spaces this can lead to command injection.
Improper file permissions: Files with overly permissive permissions that allow unauthorized users to access or modify the file.
Weak file encryption: Encryption that can be easily broken or bypassed, allowing an attacker to access the unencrypted data.
Insecure temporary file handling: Programs that do not properly secure or delete temporary files, allowing an attacker to access sensitive data.
Insecure file upload: Programs that do not properly validate or sanitize user-uploaded files, allowing an attacker to upload and execute malicious code.
Improper input validation: Programs that do not properly validate user input, leading to buffer overflow or other types of injection attacks.

It’s important to note that these examples are not exhaustive and new vulnerabilities can be discovered in the future. Additionally, patches and fixes are released to fix these vulnerabilities, so it’s recommended to keep software and OS up to date.

Example of vulnerable code:

				
					<?php
$file = $_GET['file'];
include($file);
?>
				
			

In this example, the script is taking the “file” parameter from the GET request and including it directly into the PHP script. An attacker could manipulate the request to include a file from a local file system, such as “../../../etc/passwd”, and potentially access sensitive information.

Note: Local File Inclusion vulnerability is not only limited to PHP, it can happen in any type of programming language and framework.

Privilege escalation techniques

Once an attacker has successfully exploited a Local File Include (LFI) vulnerability, they may attempt to use various techniques to escalate their privileges and gain further access to the system. Some common techniques used for privilege escalation in the context of LFI vulnerabilities include:

  • File inclusion chaining: By including multiple files, an attacker may be able to chain together a series of vulnerabilities to gain access to sensitive information or execute arbitrary code.

  • Null byte injection: By appending a null byte to the end of a file path, an attacker may be able to bypass security mechanisms that are designed to prevent the inclusion of files outside of a specific directory.

  • Wrapper techniques: An attacker can use wrapper techniques, such as the PHP expect:// or data:// wrapper, to include files that are not normally accessible through a web server, such as /etc/passwd.

  • Log Poisoning: By injecting malicious data into the logs, an attacker can cause the web application to include the malicious logs, which could lead to code execution.

  • Abusing phpinfo(): This can be done by including the ‘php://filter’ or ‘php://input’ wrappers which can be used to read arbitrary files.

It’s important to note that these techniques are not limited to LFI vulnerabilities, they can also be used to exploit other types of vulnerabilities as well. To prevent these type of attacks, it’s important to keep your software up to date, validate and sanitize user input and limiting the permissions of the web server.

General methodology and checklist for testing for localfile include vulnerabilities

Testing for Local File Include (LFI) vulnerabilities involves identifying potential entry points for user input and attempting to include files from the local file system. Here is a general methodology for testing for LFI vulnerabilities:

  1. Identify entry points: Look for any user input that is used to include files in the application, such as GET or POST parameters, cookies, or headers.

  2. Attempt to include files: Try to include files from the local file system by manipulating the user input. This can be done by appending “../”, “..”, or “..%2f” to the input, or by using null byte injection techniques.

  3. Check for error messages: Look for any error messages that may reveal information about the file system, such as the operating system, web server, or PHP version.

  4. Check for sensitive files: Attempt to include sensitive files, such as /etc/passwd or the application’s configuration files, to determine if the application is vulnerable to LFI.

  5. Check for code execution: If the application is vulnerable to LFI, try to execute arbitrary code by including a malicious file, such as a PHP script.

  6. Check for Privilege Escalation: If a LFI vulnerability is found, test for privilege escalation by trying to include files from higher-privilege locations on the file system, such as the root directory.

  7. Use automated tools: There are several automated tools available for testing for LFI vulnerabilities, such as Burp Suite, Nmap, and Metasploit

Keep in mind that LFI vulnerabilities can be hard to detect and exploit, so it’s important to be thorough and persistent when testing for these vulnerabilities.

Tools set for exploiting localfile includ vulnerabilities

There are a number of software tools that can be used to exploit Local File Include (LFI) vulnerabilities. Here are a few examples:

  • Burp Suite: A web application security testing tool that can be used to test for LFI vulnerabilities.

  • Nmap: A network exploration tool and security scanner that can be used to identify LFI vulnerabilities in web servers.

  • Metasploit: An open-source penetration testing framework that includes a module for exploiting LFI vulnerabilities.

  • sqlmap: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and database servers.

  • w3af: An open-source web application attack and audit framework that can be used to test for LFI vulnerabilities.

  • Nikto: An open-source web server scanner that can be used to identify LFI vulnerabilities in web servers.

  • OWASP ZAP: An open-source web application security scanner that can be used to test for LFI vulnerabilities.

  • Wfuzz: An open-source web application security tool that can be used to test for LFI vulnerabilities.

  • WebScarab: An open-source framework for analyzing applications that communicate using the HTTP and HTTPS protocols.

  • Lfi-Autopwn: A script that can be used to automate the process of exploiting LFI vulnerabilities.

  • Lfi-Scanner: A script that can be used to automate the process of identifying LFI vulnerabilities.

  • Linux Exploit Suggester: A script that can be used to identify potentially exploitable vulnerabilities in a Linux system

  • Lfi-Fuzzploit: A script that can be used to automate the process of exploiting LFI vulnerabilities

  • cURL: A command-line tool for transferring data with URL syntax that can be used to check for LFI vulnerabilities

  • Lfi-Finder: A script that can be used to automate the process of identifying LFI vulnerabilities

  • PHP-LFI-Exploit-Script: A script that can be used to exploit LFI vulnerabilities in PHP applications

  • Lfi-Scanner-NG: A script that can be used to automate the process of identifying LFI vulnerabilities

  • Exploit Pack: An open-source framework that includes a module for exploiting LFI vulnerabilities

  • Lfi-Scanner: A script that can be used to automate the process of identifying LFI vulnerabilities

  • Lfi-Scan: A script that can be used to automate the process of identifying LFI vulnerabilities

Note that using these tools to exploit LFI vulnerabilities without permission is illegal, they should only be used in a legal context such as penetration testing with written consent from the system owner.

Also important to note that, LFI vulnerabilities can be mitigated by limiting the permissions of the web server, validating and sanitizing user input, and keeping your software up to date.

Top CVES Local File Include

There are a number of Common Vulnerabilities and Exposures (CVEs) related to Local File Include (LFI) vulnerabilities. Here are a few examples:

CVE-2018-9843: This vulnerability affects the PHP-Fusion CMS, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-1000486: This vulnerability affects the TYPO3 CMS, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-9791: This vulnerability affects the vBulletin software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-9791: This vulnerability affects the PHP-Fusion software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-17215: This vulnerability affects the Huawei HG532 software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-14494: This vulnerability affects the D-Link DIR-823 software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2017-14493: This vulnerability affects the D-Link DIR-823 software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2016-9838: This vulnerability affects the PHP-Fusion software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2016-9837: This vulnerability affects the PHP-Fusion software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

CVE-2016-9836: This vulnerability affects the PHP-Fusion software, in which a LFI vulnerability allows a remote attacker to include arbitrary local files.

Note that these are just a few examples, new vulnerabilities are found and reported regularly, so stay up to date with the latest software and security patches to protect against known vulnerabilities.

Localfile include vulnerability exploits

There are a number of popular exploits for Local File Include (LFI) vulnerabilities. Here are a few examples:

  • Metasploit LFI Exploit: The Metasploit Framework includes a module for exploiting LFI vulnerabilities. The module can be used to include arbitrary files from the local file system, and can also be used to execute arbitrary code.

  • Lfi-Autopwn: This is a script that can be used to automate the process of exploiting LFI vulnerabilities. It can be used to include arbitrary files from the local file system, and can also be used to execute arbitrary code.

  • Lfi-Scanner: A script that can be used to automate the process of identifying LFI vulnerabilities. It can be used to check if a web application is vulnerable to LFI and provide a list of files that can be included.

  • Linux Exploit Suggester: This is a script that can be used to identify potentially exploitable vulnerabilities in a Linux system. It can be used to check if a web application is vulnerable to LFI and provide a list of files that can be included.

  • Lfi-Fuzzploit: A script that can be used to automate the process of exploiting LFI vulnerabilities. It can be used to include arbitrary files from the local file system, and can also be used to execute arbitrary code.

  • cURL: A command-line tool for transferring data with URL syntax that can be used to check for LFI vulnerabilities.

  • Lfi-Finder: A script that can be used to automate the process of identifying LFI vulnerabilities.

  • PHP-LFI-Exploit-Script: A script that can be used to exploit LFI vulnerabilities in PHP applications.

  • Lfi-Scanner-NG: A script that can be used to automate the process of identifying LFI vulnerabilities.

  • Exploit Pack: An open-source framework that includes a module for exploiting LFI vulnerabilities.

Local File Include (LFI) vulnerabilities are a common type of security vulnerability and are regularly reported in the news. Here are a few examples of recent news articles related to LFI vulnerabilities:

“Researchers discover LFI vulnerability in popular PHP-Fusion CMS” (2021): This article reports on a LFI vulnerability that was discovered in the PHP-Fusion CMS, which could allow an attacker to include arbitrary files from the local file system.

“LFI vulnerability found in popular vBulletin forum software” (2017): This article reports on a LFI vulnerability that was discovered in the vBulletin forum software, which could allow an attacker to include arbitrary files from the local file system.

“Huawei HG532 router found to have LFI vulnerability” (2017): This article reports on a LFI vulnerability that was discovered in the Huawei HG532 router, which could allow an attacker to include arbitrary files from the local file system.

“D-Link DIR-823 router found to have LFI vulnerability” (2017): This article reports on a LFI vulnerability that was discovered in the D-Link DIR-823 router, which could allow an attacker to include arbitrary files from the local file system.

“TYPO3 CMS found to have LFI vulnerability” (2017): This article reports on a LFI vulnerability that was discovered in the TYPO3 CMS, which could allow an attacker to include arbitrary files from the local file system.

Practicing in test for LFI vulnerability

Local File Include (LFI) vulnerabilities can be tested in a variety of different environments, including:

Web Application Penetration Testing: LFI vulnerabilities can be tested by performing penetration testing on a web application. This typically involves identifying potential entry points for user input and attempting to include files from the local file system.

Sandbox environments: LFI vulnerabilities can be tested in a sandbox environment, which is a simulated environment that mimics the production environment. This can be useful for testing potential exploit scenarios without risking a production environment.

Local Development Environment: A developer can test for LFI vulnerabilities in their local development environment by identifying potential entry points for user input and attempting to include files from the local file system.

Bug bounty programs: Many organizations run bug bounty programs that allow security researchers to report and test for vulnerabilities, including LFI vulnerabilities.

For study LFI

Сourses, practices, and videos available to learn about Local File Include (LFI) vulnerabilities:

  1. OWASP: The OWASP Foundation offers a variety of resources for learning about LFI vulnerabilities, including the OWASP Testing Guide, which provides information on how to test for LFI vulnerabilities.

  2. SANS Institute: The SANS Institute offers a variety of cybersecurity training courses, including the SEC542 Web App Penetration Testing and Ethical Hacking course, which covers LFI vulnerabilities.

  3. Udemy: There are many Udemy courses that cover LFI vulnerabilities and web application penetration testing, such as “Web Application Penetration Testing” and “Complete Web Hacking and Penetration Testing Course”

  4. YouTube: There are many YouTube videos that cover LFI vulnerabilities and web application penetration testing, such as “Local File Inclusion (LFI) Exploitation” and “Web App Pentesting – File Inclusion Attacks”

  5. Practice Labs: There are several websites that provide virtual labs to practice different types of vulnerabilities, including LFI vulnerabilities, such as “Hack the Box”, “Vulnhub”, “TryHackMe”

  6. Books: There are a number of books available on the topic of LFI vulnerabilities and web application penetration testing, such as “Web Hacking 101: How to Make Money Hacking Ethically” and “Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws”

Books available on the topic of Local File Include (LFI) vulnerabilities and web application penetration testing

“Web Hacking 101: How to Make Money Hacking Ethically” by Peter Yaworski: This book provides an introduction to web application hacking, including a section on LFI vulnerabilities and how to exploit them. Reviewers have praised the book for its clear explanations and practical examples.

“Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book is a comprehensive guide to web application hacking, including a section on LFI vulnerabilities and how to exploit them. Reviewers have praised the book for its detailed coverage of web application security and its practical advice for identifying and exploiting vulnerabilities.

“The Web Application Hacker’s Handbook 2nd Edition” by Dafydd Stuttard and Marcus Pinto: This book is an updated version of the previous one, and covers the latest technologies, trends and attacks. It includes a section on LFI vulnerabilities and how to exploit them. Reviewers have praised the book for its detailed coverage of web application security and its practical advice for identifying and exploiting vulnerabilities.

“The Hacker Playbook 3: Practical Guide To Penetration Testing” by Peter Kim: This book is a practical guide to penetration testing, including a section on LFI vulnerabilities and how to exploit them. Reviewers have praised the book for its clear explanations and practical examples.

“Hacking: The Art of Exploitation” by Jon Erickson: This book is a comprehensive guide to the art of exploitation, including a section on LFI vulnerabilities and how to exploit

List of payloads suitable for vulnerability

Local File Include (LFI) payloads are used to exploit LFI vulnerabilities by manipulating user input in order to include files from the local file system. Here are a few examples of payloads that can be used to exploit LFI vulnerabilities:

  • “../”: This payload is used to navigate to the parent directory in the file system, and can be used to include files that are located in a higher-level directory.

  • “..\”: Similar to the previous one, this payload is used to navigate to the parent directory in the file system on Windows systems.

  • “..%2f”: This payload uses URL encoding to represent the “../” payload, it can be used in case the application performs filtering on certain characters.

  • NULL byte injection: By appending a null byte “%00” at the end of a payload, it can be used to bypass a filter that blocks “../” and “..\” payloads.

  • “php://filter/convert.base64-encode/resource=”: This payload is used to encode a file in base64 and can be used to bypass a filter that blocks “../” and “..\” payloads.

  • “data:text/plain;base64,”: This payload can be used to include a file encoded in base64, it can be used to bypass a filter that blocks “../”

How to be protected from LFI

Sigma rules and firewall rules can be used to detect and block Local File Include (LFI) attacks. Here are a few examples of Sigma rules and firewall rules that can be used to block or stop LFI vulnerabilities:

  1. Sigma rule: A Sigma rule can be used to detect attempts to exploit LFI vulnerabilities by looking for specific patterns in web server logs, such as the use of “../” or “..\” in the requested URL.

  2. Firewall rule: A firewall rule can be used to block incoming traffic that contains specific patterns, such as “../” or “..\” in the requested URL.

  3. Web Application Firewall (WAF) rule: A WAF rule can be used to block incoming traffic that contains specific patterns, such as “../” or “..\” in the requested URL.

  4. Network Intrusion Prevention System (IPS) rule: An IPS rule can be used to block network traffic that contains specific patterns, such as “../” or “..\” in the requested URL.

  5. File integrity monitoring: Implementing file integrity monitoring can help detect any unauthorized changes to files on the system and alert you if a file is modified or added by an attacker.

Mitigations for LFI

Useful services to mitigate LFI vulnerabilities include:

Web Application Firewalls (WAF)
Intrusion Detection Systems (IDS)
File Integrity Monitoring (FIM)
Web Application Security Scanners
Log Management Systems
Regular security assessments and penetration testing

Conclusion

In conclusion, LFI vulnerabilities are a type of security vulnerability that can occur when a web application allows an attacker to include a file from the server’s file system into a web page. This can allow an attacker to view sensitive information such as system files, password files, and other sensitive data. To prevent LFI vulnerabilities, it’s important to keep software up to date and follow best practices for secure coding. Additionally, using security tools such as Web Application Firewalls (WAF), Intrusion Detection Systems (IDS), File Integrity Monitoring (FIM), Web Application Security Scanners, Log Management Systems, and regular security assessments and penetration testing can help to mitigate the risk of LFI attacks.

Other Services

Ready to secure?

Let's get in touch