DEV Community 👩‍💻👨‍💻

Cover image for Hacking: Local File Inclusion

Posted on

Hacking: Local File Inclusion

Linux is a widely popular system for hosting web apps. It's users often think that by using Linux on a server, that it is secure.

But, just because you use Linux on your server and are good at the shell commands, does not mean your web app is secure. Sure you may know how to use vim, but neither that will stop a hacker.

LFI (or File Inclusion) is a common vulnerability in web appps that provides access to files on the server in question. This allows an attacker to read files and sometimes to create or modify files on the target web server.

In this article I will explain a vulnerability known as local file inclusion (LFI) and how this hack is carried out.

LFI explained

With many server side programming languages, you can include files. In php that is often done with:

  • include
  • require
  • include_once
  • require_once

Lets say a web app has a parameter that lets you specify the file. The web app url can look like this:

And the code like this:

Enter fullscreen mode Exit fullscreen mode

By changing the url parameter file, the attacker can open different files on the server.

Give me an example

An attacker might change the url and read different files. These can include system files:
Enter fullscreen mode Exit fullscreen mode

So what, the attacker can read system files?

The attacker can get your username from /etc/passwd and your hashed password from /etc/shadow.

The hashed password can be cracked using crackstation, giving them full access to the server.

To prevent this as coder, always check and test user input (especially GET and POST variables)

The LFI vulnerability can also exist on other operating systems, but they store system files elsewhere.

To learn more about web hacking, you may like this course

Top comments (0)

👋 New to DEV?

Head over to our Welcome Thread and tell us a bit about yourself!