Local File inclusion (LFI) refers to an inclusion attack. An attacker can trick the online application in including files on the online server. The attacker does this by exploiting functionality that dynamically includes native files or scripts. The consequence of a successful LFI attack. It includes Directory Traversal and information revealing also as Remote Code Execution.

This server allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. This is due to the use of user-supplied input without proper validation Typically, Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the included statement.

Local File Inclusion is very much like Remote File Inclusion (RFI), with the difference that with Local File Inclusion, an attacker can only include local files (not remote files like in the case of RFI). The following is an example in PHP that is vulnerable to Local File Inclusion (LFI).

/**

* Get the filename from a GET input

* Example - http://example.com/?file=filename.php

*/

$file = $_GET['file'];

​

/**

* Unsafely include the file

* Example - filename.php

*/

include('directory/' . $file);

In the above example, an attacker could make the following request to trick the application into executing a malicious script such as a webshell that the attacker managed to upload to the web server.

http://example.com/?file=../../uploads/evil.php

In this example, the file the uploaded by the attacker will be included and run as the user running the web application.

Where Local LFI found ?
Basically this the location

http://vulnerable_host/preview.php?file=abc.html

This is the place where an attacker can perform the LFI attack on web applications. The script can be included here in the URL that is containing various parameters upon which the attack will be performed. It is possible to include arbitrary files on the server. The affected URL by the attacker would be something like this:

http://vulnerable_host/preview.php?document=../../../../etc/passwd

Identifying Vulnerabilities within Web Application: Identifying LFI Vulnerability within the web application is easy as it is going to include a file from a web server and return it to the attacker.
For example “/fi/?page=include.php” LFI would be possible in such an application if the above example or something related to such example is existing in the web application.

A Pentester would attempt to get benefit from this sort of misconfiguration i.e. he can exploit this vulnerability by manipulating the parameters.
For Example “/fi/?page=include.php” this will execute successfully only if the index.php” file exists in the same directory. If not, we have to add “../” ahead of “index.php” .

Imagine this “index.php” is located in the "/var/www/html" folder and “include.php” is located in "/var/www/dvwa/vulnerabilities/lfi/" folder and you can see the responses of files from this folder location only. Now to execute a file located in another directory, we have to change our directory in URL. For example "/fi/?page=../../../index.php".

There are three kinds of scenarios possible in LFI attack:

• Including Files to be Parsed by the Language’s Interpreter
• Including Files that are Printed to a Page
• Including Files that are Served as Downloads

Impacts of an Local File Inclusion Vulnerability: An attacker would be able to get access to the following by exploiting LFI Vulnerability:

• Information Disclosure of files stored in Web Server
• Passwords/Database Access
• Log Files
• Complete System Compromise

Remediation File Inclusion(LFI) Vulnerability:

• One should not allow the file path that could be modified directly either it should be hardcoded or to be selected via hardcoded path list.
• One must make sure that the required should have dynamic path concatenation i.e must contain (a-z) (0-9) instead of (/, /% etc)
• There should be specific limit the API so that only inclusion from directories under it work so that Directory Traversal attack could not take place in this situation

Preventing Local File Inclusion (LFI) Vulnerabilities

The best way to eliminate Local File Inclusion (LFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.