Local File Inclusion is a method in PHP for including Local files from the Local web server itself.
This becomes vulnerability when the pages to be included from web servers are not sanitized properly and to exploit this vulnerability attacker can send modified http request to the server using a web browser.
For example if a developer is using a variable from URL (i.e. GET variable) for calling specific file on the server for inclusion for example the URL is the sample php code for this may be:
In the above script the include function tries to includes a file from the ‘board’ subdirectory. In this code the developer is not sanitizing the variable of page for characters such as periods and slashes (../ which is used for moving one directory up) and also doesn’t checks if the file is a web server system file which can allow the attacker to include malicious file from the web server filesystem resulting into critical information disclosure or arbitrary code execution.
For eg. if attacker modifies the page url to:
The above URL will cause PHP to include file
This modified URL will disclose all the list of users on the server.
The above URL will cause php to include environment variables which looks as follows:
In the above environment variables we can control some of the environment variables and alter them, such as which we can tamper and put php script to gain shell access.
Following are some of the PHP functions used for file inclusion:
Securing Local File Inclusion Vulnerabilities:
1. Always try to use if else statement in following way. For example:
2.In the below code
4. A good way for restricting the inclusion of is to see that Apache server doesnt have access to enviroment variables. We can change the apache’s shell in in following way :