- 11 Feb, 2025
- 0 Comments
- 4 Mins Read
Local File Inclusion LFI: Practical Guide & Prevention Tips 2025
Introduction
Local File Inclusion LFI is a common web security vulnerability that allows attackers to manipulate file paths and gain unauthorized access to sensitive files on a server. If exploited, it can lead to information disclosure, code execution, and even full server compromise.
In this blog, we will explore Local File Inclusion LFI in detail, covering:
- How LFI works
- Practical exploitation examples
- Ways to prevent LFI attacks
Let’s dive into the details and understand why LFI is a critical security issue for web applications.
Understanding Local File Inclusion LFI
LFI occurs when an application improperly handles user input in file inclusion mechanisms. It typically arises in PHP applications where files are dynamically included based on user input. An attacker can exploit LFI to read system files, access application configurations, or even execute malicious code.
Example of a Vulnerable Code
<?php
$file = $_GET['page'];
include("pages/" . $file);
?>If the application allows users to pass the page parameter via the URL, an attacker can manipulate it as follows:
http://example.com/index.php?page=../../../../../etc/passwd
This would allow the attacker to read the system’s password file (/etc/passwd) and gain valuable information about the server.
Practical Exploitation of LFI
1. Reading Sensitive Files
Attackers can exploit LFI to read configuration files, which often contain database credentials and API keys. Common files targeted include:
- Linux:
/etc/passwd,/etc/hosts,/var/log/apache2/access.log - Windows:
C:\Windows\win.ini,C:\xampp\php\php.ini
Example URL for extracting /etc/passwd:
http://example.com/index.php?page=../../../../etc/passwd
2. Log Poisoning for Remote Code Execution
LFI can be escalated into remote code execution (RCE) by injecting malicious code into log files and including them.
Step 1: Inject Malicious Code into Logs
If an application logs user-agent headers, an attacker can send a request with a PHP payload in the User-Agent field:
User-Agent: <?php system($_GET['cmd']); ?>
This gets stored in the access log file (e.g., /var/log/apache2/access.log).
Step 2: Execute the Payload
Now, the attacker can include the log file via Local File Inclusion LFI and execute commands:
http://example.com/index.php?page=/var/log/apache2/access.log&cmd=id
This would execute the id command on the server, revealing system user details.
3. PHP Session Hijacking via Local File Inclusion LFI
If a web application stores session files in /tmp (e.g., /tmp/sess_<session_id>), an attacker who knows or guesses a session ID can read session data using LFI.
Example:
http://example.com/index.php?page=../../../../tmp/sess_abc123
This may expose user credentials, tokens, or other sensitive session data.
Preventing Local File Inclusion Attacks
1. Use Allowlisted File Inclusion
Instead of allowing direct file inclusion from user input, restrict it to predefined options.
Safe Code Example:
<?php
$allowed_pages = ['home.php', 'about.php', 'contact.php'];
$page = $_GET['page'];
if (in_array($page, $allowed_pages)) {
include("pages/" . $page);
} else {
echo "Invalid page request!";
}
?>
2. Sanitize User Input
Use functions like basename() to prevent directory traversal and validate input:
$file = basename($_GET['page']);
include("pages/" . $file);
3. Disable allow_url_include in PHP
To prevent remote file inclusion (RFI), disable this setting in php.ini:
allow_url_include = Off
4. Use Web Application Firewalls (WAFs)
A WAF can help detect and block Local File Inclusion LFI attempts before they reach the server.
5. Implement Least Privilege Principle
Ensure web server users have minimal permissions, preventing them from accessing sensitive system files.
LFI vs. Remote File Inclusion (RFI)
| Feature | Local File Inclusion (LFI) | Remote File Inclusion (RFI) |
|---|---|---|
| File Source | Local server files | External files (URLs) |
| Common Target | /etc/passwd, log files, session files | Malicious scripts hosted on remote servers |
| Execution | Limited to local file reads (unless escalated) | Can directly execute remote scripts |
| Prevention | Input validation, allowlisting | Disable allow_url_fopen, allow_url_include |
While Local File Inclusion LFI is often used for reading sensitive files, RFI can lead to full remote code execution, making it even more dangerous.
Real-World Case Study: The C99 PHP Webshell Attack
One notable case of Local File Inclusion LFI exploitation involved the C99 PHP Webshell, a widely used malicious script that allows attackers to gain full control over a web server.
How It Happened
A security researcher discovered that a vulnerable web application was allowing user input to be directly passed into the include() function. An attacker uploaded a simple PHP shell to the /tmp directory and used LFI to execute it.
Attack Steps:
- The attacker uploaded a PHP backdoor via an insecure file upload feature.
- Since the upload directory was not executable, the attacker could not run the script directly.
- Using LFI, the attacker included the uploaded http://victim-website.com/index.php?page=../../../../tmp/c99.php
- The webshell executed, giving the attacker full control over the server.
Impact
- The attacker gained unauthorized access to sensitive files, databases, and credentials.
- The web server was used to launch further attacks, including DDoS campaigns.
- The website was defaced, leading to reputational damage for the company.
Lessons Learned
- Disable direct file inclusion: Avoid including files based on user input.
- Implement file upload restrictions: Prevent execution of uploaded scripts.
- Use server monitoring: Detect suspicious file activity.
Conclusion
Local File Inclusion LFI is a serious security risk that can expose sensitive information, enable remote code execution, and compromise entire systems. Developers must adopt best practices such as input validation, allowlisting, and privilege restrictions to prevent LFI attacks.
By understanding LFI and implementing robust security measures, you can protect your applications from exploitation and ensure a more secure web environment.
Stay secure and always follow secure coding practices! 🚀
Don’t miss out! Check out our latest blogs for bug bounty hunters: