7.3 File Inclusion (LFI and RFI)

https://www.indusface.com/learning/file-inclusion-attacks-lfi-rfi/

File Inclusion (LFI and RFI)

Local file inclusion (LFI) and remote file inclusion (RFI) are vulnerabilities that allow attackers to include files on a web server. Both can lead to malware being uploaded to the server.

Local file inclusion (LFI)

Remote file inclusion (RFI)

How it happens

Exploits local file upload functions

Exploits vulnerable inclusion procedures

What it includes

Files that are already on the server

Files from remote sources

How it's exploited

Malicious characters are uploaded to the server

External URLs are injected into the page

To prevent these vulnerabilities, you can:

  • Use secure coding techniques

  • Sanitize user-supplied input

  • Don't rely on blacklisting, encoding, or filtering

You can test for file inclusion vulnerabilities using:

  • The PHP Filter, which can prevent the server from executing a file

  • Testing for directory traversal characters, such as ../

These vulnerabilities are often found in PHP applications. They can lead to: Outputting the contents of a file, Arbitrary code execution, and Uploading malware to the server.

File Inclusion vs. Directory Path Traversal

Directory Path Traversal is a vulnerability that occurs when an attacker can manipulate the file path used by an application to access files.

This manipulation allows attackers to traverse directories and access files or directories outside the intended scope. The vulnerability arises when an application doesn’t properly validate or sanitize user input when constructing file paths.

Directory Path Traversal can often be a means to exploit File Inclusion vulnerabilities. If an attacker can manipulate the file path, they can use it to achieve LFI (Local File Inclusion).

While Directory Path Traversal primarily focuses on manipulating the file system path, File Inclusion vulnerabilities deal with including external files (either locally or remotely).

Other Resources

Last updated