Header Ads

File Inclusion Attack (LFI/RFI)

Local File Inclusion (LFI) and Remote File Inclusion (RFI)

Today’s article is about Local File Inclusion (LFI) and Remote File Inclusion (RFI).
If you have basic knowledge of SQL injection you probably know how we can inject our SQL queries into a vulnerable parameter.
We take advantage of vulnerable parameters in LFI and RFI too.

In SQL injection, we interact with the SQL database using SQL queries to retrieve sensitive data from the database. But in LFI/RFI we ask the webpage to open something for us, it could be a file or a webpage (a webpage is a file too) from another website.
Enough theory! Now lets see what the heck are LFI and RFI.

Local File Inclusion (LFI)

Take a look a this URL:

The parameter in this case is view= and the value is /images/Haxor.jpg.
It means open.php is a webpage which loads different files (Haxor.jpg in this case) from the server. There can be many sensitive files on the server which can be accessed using open.php if the webpage is vulnerable to LFI.

You can open/execute any type of file (not folders) with LFI, which means you can read logs, configuration files and execute files if a webpage is vulnerable to Local File Inclusion. You can even hack into the server if the server admin is stupid enough to not configure things properly.

Remote File Inclusion (RFI)

What is the difference between Local File Inclusion and Remote File Inclusion?
Well both vulnerabilities can be used to open things but LFI is used to open files from the server where website is hosted (locally) while RFI is used to open files from another server (remotely).
We can easily host a malicious file on our server and use the RFI vulnerability to run it on the victim website.

Take a look at this URL:

By looking at the above URL one would guess that the parameter page= is loading webpages.
It is opening home page, similarly it may open other pages from the website. But if the webpage (get.php) is not programmed properly then a hacker can replace home by his desired webpage like,

If everything goes well then get.php will try to open backdoor.php which will compromise the server (or something else, depends on what’s in it). It makes RFI a deadly vulnerability.

No comments