Local File Inclusion

Local File Inclusion (LFI) is a web application vulnerability that allows an attacker to include files from the server's filesystem into the application's output. This vulnerability typically occurs when applications use user-supplied input to construct file paths without proper validation or sanitization.

Understanding the Vulnerability

LFI vulnerabilities emerge when web applications dynamically include files based on user input. The core issue is that applications trust user-supplied data to determine which file to include, allowing attackers to manipulate the file path to access unintended files on the server.

How LFI Works

When a web application needs to load different pages or templates, developers often use a parameter to specify which file to include. For example, a website might use a URL like example.com/index.php?page=about to load different content pages. If the application doesn't properly validate the page parameter, an attacker can manipulate it to access sensitive files.

Vulnerable Code Examples

Here's a classic example of vulnerable PHP code:

<?php
// Vulnerable to LFI
$page = $_GET['page'];
include($page . '.php');
?>

This code directly uses user input from the URL parameter without any validation. An attacker could exploit this by requesting:

index.php?page=../../../../etc/passwd%00 (using null byte injection to bypass the .php extension)
index.php?page=../../../var/log/apache2/access.log

Another common vulnerable pattern occurs when developers attempt basic sanitization but fail:

<?php
// Still vulnerable despite attempt at sanitization
$page = str_replace('../', '', $_GET['page']);
include('/var/www/pages/' . $page . '.php');
?>

This can be bypassed using nested directory traversal sequences like ....//....//etc/passwd.

Here's a vulnerable example in Python using Flask:

from flask import Flask, request, render_template
import os

app = Flask(__name__)

@app.route('/view')
def view_file():
    # Vulnerable - directly uses user input
    filename = request.args.get('file')
    filepath = os.path.join('/var/www/templates/', filename)
    
    with open(filepath, 'r') as f:
        content = f.read()
    
    return content

Exploitation Techniques

Attackers use several techniques to exploit LFI vulnerabilities:

Directory Traversal

The most common technique uses ../ sequences to navigate up the directory tree:

?page=../../../../etc/passwd
?page=..\..\..\..\windows\system.ini

Null Byte Injection

In older PHP versions (before 5.3.4), null bytes could truncate strings:

?page=../../../../etc/passwd%00

Encoding Bypass

Attackers may use URL encoding or double encoding to bypass simple filters:

?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
?page=%252e%252e%252fetc%252fpasswd (double encoded)

Wrapper Exploitation

PHP supports various stream wrappers that attackers can abuse:

?page=php://filter/convert.base64-encode/resource=config.php
?page=data://text/plain,<?php system($_GET['cmd']); ?>
?page=expect://whoami

Secure Code Examples

Here's how to properly protect against LFI vulnerabilities:

Whitelisting Approach (Most Secure)

<?php
// Secure - uses whitelist validation
$allowed_pages = [
    'home' => 'home.php',
    'about' => 'about.php',
    'contact' => 'contact.php'
];

$page = $_GET['page'] ?? 'home';

if (array_key_exists($page, $allowed_pages)) {
    include('/var/www/pages/' . $allowed_pages[$page]);
} else {
    include('/var/www/pages/error.php');
}
?>

Basename and Path Validation

<?php
// Secure - validates and sanitizes input
$base_dir = '/var/www/pages/';
$page = basename($_GET['page']); // Removes directory traversal
$filepath = realpath($base_dir . $page . '.php');

// Verify the resolved path is within allowed directory
if ($filepath && strpos($filepath, realpath($base_dir)) === 0 && file_exists($filepath)) {
    include($filepath);
} else {
    http_response_code(404);
    include($base_dir . 'error.php');
}
?>

Python Flask Secure Implementation

from flask import Flask, request, abort
import os
from pathlib import Path

app = Flask(__name__)

ALLOWED_FILES = {
    'home': 'home.html',
    'about': 'about.html',
    'contact': 'contact.html'
}

BASE_DIR = Path('/var/www/templates').resolve()

@app.route('/view')
def view_file():
    file_key = request.args.get('file', 'home')
    
    # Whitelist validation
    if file_key not in ALLOWED_FILES:
        abort(404)
    
    filename = ALLOWED_FILES[file_key]
    filepath = (BASE_DIR / filename).resolve()
    
    # Ensure the resolved path is within BASE_DIR
    if not str(filepath).startswith(str(BASE_DIR)):
        abort(403)
    
    if not filepath.exists():
        abort(404)
    
    with open(filepath, 'r') as f:
        content = f.read()
    
    return content

Prevention Best Practices

Use Whitelisting: Define an explicit list of allowed files or values rather than trying to blacklist dangerous patterns. Blacklists are easily bypassed.

Avoid User Input in File Paths: Whenever possible, don't use user input to construct file paths. Use indirect references like IDs that map to filenames in your code.

Validate and Sanitize: If you must use user input, apply strict validation using functions like basename() to strip directory components and realpath() to resolve the actual path.

Path Containment Checks: Always verify that the resolved file path stays within your intended directory using string comparison after resolving with realpath().

Disable Dangerous Functions: In PHP, disable dangerous functions and wrappers in php.ini:

allow_url_include = Off
allow_url_fopen = Off
disable_functions = system,exec,passthru,shell_exec

Principle of Least Privilege: Run your web server with minimal permissions so even if LFI occurs, the damage is limited.

Input Type Enforcement: Use strong typing and validation frameworks that enforce expected data types and formats.

Detection and Testing

Security professionals can test for LFI using these approaches:

Manual testing with common payloads targeting known sensitive files
Automated scanning tools like Burp Suite, OWASP ZAP, or Nikto
Code review focusing on file inclusion functions: include(), require(), include_once(), require_once(), file_get_contents(), fopen()
Web Application Firewalls (WAF) can detect and block common LFI patterns

Real-World Impact

LFI vulnerabilities can lead to severe consequences including exposure of configuration files containing database credentials, disclosure of application source code revealing additional vulnerabilities, access to system files like password hashes, and in some cases, remote code execution when combined with file upload functionality or log poisoning techniques.

Understanding LFI is crucial for both developers building secure applications and security professionals protecting them. The key is treating all user input as untrusted and implementing defense in depth with multiple layers of validation and security controls.

References & More

WSTG - v4.2 | OWASP Foundationowasp.org

Exploiting an LFI (Local File Inclusion) VulnerabilityVAADATA - Ethical Hacking Services

PreviousServer-Side Request Forgery NextPath Traversal

Last updated 15 days ago

hashtagUnderstanding the Vulnerability

hashtagHow LFI Works

hashtagVulnerable Code Examples

hashtagExploitation Techniques

hashtagDirectory Traversal

hashtagNull Byte Injection

hashtagEncoding Bypass

hashtagWrapper Exploitation

hashtagSecure Code Examples

hashtagWhitelisting Approach (Most Secure)

hashtagBasename and Path Validation

hashtagPython Flask Secure Implementation

hashtagPrevention Best Practices

hashtagDetection and Testing

hashtagReal-World Impact

hashtagReferences & More