Local File Inclusion

Overview

Local File Inclusion vulnerabilities allows an attacker to view local files on the web server. Files containing sensitive information such as database credentials in ASP.NET web.config, could be compromised and used to access additional sensitive data or gain further access into the application and network.

Source code files for the application may also be retrieved to gain a better understanding of the source code and potentially find vulnerabilities therein.

Example

A very simple example would be a URL parameter that is used in a function to retrieve files. Consider the following NodeJS (with Express) example.

The code creates a simple http server. Upon browsing to the URL it accepts a URL parameter id and saves it to the id variable in line 5. Line 6 uses the Node module FS function readFile to read files. The variable id is passed as an argument. The function writes the file to the response and returns the response to the user. 

var http = require('http');
var fs = require('fs');
http.createServer(function (req, res) {
  //Open a file on the server and return its content:
  var id = req.query.id
  fs.readFile(id, function(err, data) {
    res.writeHead(200, {'Content-Type': 'text/html'});
    res.write(data);
    return res.end();
  });
}).listen(8080);

So entering the URL http://localhost:8080/?id=/etc/passwd would return the /etc/passwd file (assuming the application process has the necessary rights to view that file), thus illustrating LFI. The source code does not do any input sanitization or allow-list checking for the user input and just passes it directly into the fs.readFile function.

For further reading start with these links then see further resources:

PreviousTesting TipsNextLocal File Inclusion Writeups

Last updated