Local File Inclusion

What is Local File Inclusion?

Local File Inclusion is a method in PHP for including Local files from the Local web server itself.  
This becomes vulnerability when the pages to be included from web servers are not sanitized properly and to exploit this vulnerability attacker can send modified http request to the server using a web browser.  
For example if a developer is using a variable from URL (i.e. GET variable) for calling specific file on the server for inclusion for example the URL is the sample php code for this may be:
 

In itself functions such as include function are not vulnerable but it’s wrong use can cause serious security issue.  

In the above script the include function tries to includes a file from the 'board' subdirectory. In this code the developer is not sanitizing the variable of page for characters such as periods and slashes (../ which is used for moving one directory up) and also doesn't checks if the file is a web server system file which can allow the attacker to include malicious file from the web server filesystem resulting into critical information disclosure or arbitrary code execution.  

For eg. if attacker modifies the page url to:    

The above URL will cause PHP to include file

This modified URL will disclose all the list of users on the server.      

The above URL will cause php to include environment variables which looks as follows:   

 

In the above environment variables we can control some of the environment variables and alter them, such as which we can tamper and put php script to gain shell access.  

Following are some of the PHP functions used for file inclusion:

Some developers may use their own code for filtering these attacks as follows:   

 

Beware!! The above code seems to be a very a good idea but such php filters can be bypassed easily by making the following request:

Securing Local File Inclusion Vulnerabilities:  

1. Always try to use if else statement in following way. For example:

Or similarly you can use switch case:

 

2.In the below code

 

 It will encode the attackers request and result in the following error:

 

3. Use realpath function in the code:

The Real path function returns canonicalized absolute pathname on success. The resulting path will have no symbolic link, '/./' or '/../' components thus defending the attack successfully.

4. A good way for restricting the inclusion of is to see that Apache server doesnt have access to enviroment variables. We can change the apache's shell in in following way :

This restricts apache server to access environmental variables.

 

Vikram Pawar

[email protected]

Vikram Pawar is a hacking and security enthusiast. Vikram is currently pursuing Bachelor’s Degree in Computer Science and Engineering from G.H. Raisoni institute of engineering and technology (Pune).