Description

Local File Inclusion attack consists of exploiting a non-protected script on the server to read the content of another file, that is not initially permitted by the application. The following example shows a vulnerable PHP script (index.php).

<?php
if(isset($_GET["page"])) {
  include($_GET["page"]);
}
...
?>

With such a script, it is possible to read the content of /etc/passwd file, by calling this way:

http://www.somevulnerablesite.com/index.php?page=../../../etc/passwd

Null byte inclusion

The Null byte inclusion (%00) enables to read files on a server, using a Local File Inclusion (LFI) attack. The following PHP example illustrates the attack:

<?php
if(isset($_GET["page"])) {
  require("/var/www/site/".$_GET["page"]);
}
...
?>

Such a vulnerable script could enable a hacker to access a non-expected file, by calling such an address:

http://www.somevulnerablesite/index.php?page=../../../etc/passwd%00

Refer to this site for further information: http://projects.webappsec.org/Null-Byte-Injection

Example

• HackThisSite.org, Realistic, Level 7 shows how to exploit a PHP file to read the content of a .htaccess file and access an encrypted password.
• HackThisSite.org, Realistic, Level 14 illustrates the null byte injection attack to list the content of a directory.

Protection

Tools

• inspathx
• darkjumper
• LFI Map
• Simple LFI Exploiter (lfi_sploiter)

Comments

Talk:Web applications attacks/Local file inclusion