Source Code Examples

DVWA - Low

In the DVWA the LFI vulnerability page URL is /dvwa/vulnerabilities/fi/page=<page>. The page URL parameter is vulnerable. Using directory traversal you can retrieve the /etc/passwd file.

Retrieving /etc/passwd using directory traversal in the page URL parameter

The code that handles this does not validate the user input from the page URL parameter. It merely sets the URL parameter to the file variable.

//low.php
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

?>

The Index.php handles this file variable:

//index.php 
// if( count( $_GET ) )
if( isset( $file ) )
	include( $file );
else {
	header( 'Location:?page=include.php' );
	exit;
}

Seen above, the low.php uses the URL parameter and sets the $file variable based on it. The code in Index.php then retrieves the file if it exists. There is no sanitization of the user input or checks to validate the accessibility of the file. Thus allowing LFI.

DVWA - Medium

The source code is modified in the Medium security level to validate the user input, remove http and https and strip dot-dot-slash characters.

<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
$file = str_replace( array( "http://", "https://" ), "", $file );
$file = str_replace( array( "../", "..\"" ), "", $file );

?>

These attempted checks can be bypassed by merely entering /etc/passwd in the page URL parameter without using "../".

DVWA - High

The high security level only allows inputs starting with word "file" or if the file is "include.php".

//high.php
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Input validation
if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
	// This isn't the page we want!
	echo "ERROR: File not found!";
	exit;
}

?>

This can be bypassed using the "File" URI scheme since it starts with the word "File". The File URI scheme is used to access files on the localhost. Changing the parameter to file:///etc/passwd will successfully return the file.

DVWA - Impossible

The code for the impossible security level only allows the "include.php" file or files 1-3 which are hard coded into the if statement. There is no way to exploit this to retrieve arbitrary files.

//Impossible.php
<?php

// The page we wish to display
$file = $_GET[ 'page' ];

// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
	// This isn't the page we want!
	echo "ERROR: File not found!";
	exit;
}

?>

XVWA

The source code that retrieves files for the LFI example is in xvwa/vulnerabilities/fi/home.php file.

The URL to exploit is http://localhost:8012/xvwa/vulnerabilities/fi/?file=/Windows/system.ini

The "file" URL parameter is used in line 13 and if the parameter is not null it retrieves the files with no input checks or validation and returns the file to the user.

//home.php
<div class="well">

    <p>
        <form method="get" action="">
            <div class="form-group">
                <br>
                <div class="text-left">
                <?php 
                    $f='readme.txt';
                    echo "<a class=\"btn btn-primary\" href=\".?file=$f\" /> Click here </a><br><br>";

                    if (isset($_GET['file'])) {
                        $file=$_GET['file'];
                        include($file);
                    }                 
                ?>
                </div>
            </div>
        </form>
    </p>

      
    <hr>
    
</div>