- Learned from Hack The Box Starting Point Responder.
- Wordlist of common vulnerable files.
Dynamic websites often include HTML pages using information from HTTP requests, which may involve parameters from GET and POST requests, cookies, and other variables. When this inclusion is improperly handled, it can lead to vulnerabilities such as Local File Inclusion (LFI) and Remote File Inclusion (RFI).
- Description: LFI occurs when an attacker can make a website include files that are not intended to be accessible. This typically happens when the application treats file path inputs as trusted without proper sanitization.
- Exploitation: Attackers use directory traversal sequences (
../) to navigate to sensitive files within the server's file system. For example, an application might include a file based on user input likepage=../../../../../../../../windows/system32/drivers/etc/hosts, allowing the attacker to view thehostsfile. - Risk: In some cases, LFI can lead to code execution if the included file is a script or contains executable code.
- Description: RFI is similar to LFI but involves including remote files from external sources using protocols such as HTTP or FTP.
- Exploitation: Attackers can specify a remote URL as the file to be included, which can lead to the execution of malicious code hosted on the remote server.
- Example: A penetration tester might attempt to include common files with predictable paths, such as the
hostsfile on Windows (C:\windows\system32\drivers\etc\hosts), to check for LFI. - Method: The inclusion vulnerability can be identified by manipulating the
pageparameter in the URL and observing if the application includes unintended files.
- Sanitization: Proper sanitization of input parameters is crucial. This includes validating, filtering, and escaping user inputs.
- Use of Secure Functions: Developers should use secure methods for including files and avoid using direct user inputs for file paths.
- The provided URL
http://unika.htb/index.php?page=../../../../../../../../windows/system32/drivers/etc/hostsdemonstrates a successful LFI exploitation by including and displaying the contents of thehostsfile. - The vulnerability was possible due to improper sanitization in the PHP
include()method used in the backend to process thepageparameter for serving different language pages.
In conclusion, both LFI and RFI are severe vulnerabilities resulting from improper handling of file inclusion mechanisms. Proper input validation and secure coding practices are essential to prevent such exploits.