LFI

Low

As this attack consists in being able to load local files, we can go to the main url and look for the robots.txt for the tests, if it exists what we have to do is to find out where it is, we do this by entering and exiting the directories, so if we put the following code

../../robots.txt

We can see that it loads the file with the permissions for the robots.

Basic attack robots file

Now what we have to do is to keep searching the different levels of folders until we get to interesting information such as /etc/passwd, /etc/passwd, /etc/passwd and /etc/passwd

../../../../../etc/passwd

Low Attack passwd file

Medium

We change the level and if we try the robot route again, we see that this time it does not work

Fail medium attack

If we look at the code, we see that it makes a substitution with str_replace not allowing us to use the ../ to move through the directories

$file = str_replace( array( "../", "..\"" ), "", $file );

But since str_replace is not recursive, we can play with it by changing the folder movement to this

....//

What will happen is that the ../ will be removed, leaving the enclosing one in place, and the attack will work again.

Attack medium

High

Let's go to the last level, and try again the attacks from before

High level basic attack failure

Medium attack failure at high level](/img/attacks/file-inclusion/LFI/attack-high-fail-medium.png)

And as we can see neither of the two work, when we look at the code

if( !fnmatch( "file*", $file ) && $file != "include.php" ) {
    // This isn't the page we want!
    echo "ERROR: File not found!";
    exit;
}

we see that it uses the fnmatch function to check if in the path there is the word file, so we can use file:// which gives access to the local filesystem in php and contains the word file

file:///var/www/html/robots.txt

Attack-high-robots

file:///etc/passwd

Attack-high-passwd

Low​

Medium​

High​

Low

Medium

High