A local file inclusion vulnerability allows the attacker to specify a file local to the target server for either display or rendering. For instance, a poorly constructed web application could allow the attacker to display the underlying source code of a page or an arbitrary file like /etc/passwd. If the vulnerability allows the attacker to specify a remote source for inclusion, this allows things like a remote web shell to be included.
Local File Inclusion (LFI) Setup
Make a directory called file-inclusion
Paste the following into a index.php file
Make three files that each include a simple html page. Below you will see page1.html,page2.html,page3.html
Start a php server in your terminal using php -S 127.0.0.7:9000
The go to a web browser and type http://127.0.0.1:9000 and you will see the php and html pages that you made! Your php server will also display messages saying that you successfully executed a GET http request.
Interact with the buttons on the page
Deliverable 1: See if you can display kali's etc/passwd.
If we look at our URL after we click on the button we can see the format of the request that is being submitted to the web server for a page.
We have to tell the web server in the same format that we want to change the page. so instead of looking for page2.html we can tell the server we want the /etc/passwd page instead/
Deliverable 2: Figure out how to display the file that shows the current version of Linux
Challenge: dispaly my partners /etc/passwd file using their IP address
Deliverable 3: include the rfi.html file using 2 web servers.
RFI
Helpful hint!
If you want to easily go back to a directory instead of having to remember the path you can use pushd and popd.
Say you are in the directory ~/sec480/week2/file-inclusion and you need to go to another directory but will be coming back to the orginal one. Within your directory you can do pushd . to define to the system that that is the directory you want to go back to. For an example I decide to go to the /etc/php directory. From that directory I can then type popd and it will take me back to my original directory!
Create a file called rfi.html in your file-inclusion directory
Make a copy of php.ini and put it in your file-inclusion directory
cp etc/php/8.4/cli/php.ini
You should check your php version within etc/php when running this command (it may not be 8.4 anymore).
Modify the new php.ini file so that allow_url_include is turned on
In a new tab run the following python command:
In your original tab restart the local php server with:
In the following screenshot we are using one web server to get content from another web server. The second web server that we ran with the python command could have malware or a malicious file that we wanted to inject in the first server (but right now the files are not harmful).
Deliverable 4: Figure out how to include a rfi.php that executes a single command of your choice.
Make sure you are running your webservers both in the correct directory! In my case I needed to run them in the sec480/week2/file-inclusion directory. I was running one my web servers in the home diectory and it could not file the file I was asking it to find/
make a file in your file-inclusion directory rfi.php
