Linux is a widely popular system for hosting web apps. It's users often think that by using Linux on a server, that it is secure.
LFI (or File Inclusion) is a common vulnerability in web appps that provides access to files on the server in question. This allows an attacker to read files and sometimes to create or modify files on the target web server.
In this article I will explain a vulnerability known as local file inclusion (LFI) and how this hack is carried out.
With many server side programming languages, you can include files. In php that is often done with:
Lets say a web app has a parameter that lets you specify the file. The web app url can look like this:
And the code like this:
<?php include($_GET["file"]); ?>
By changing the url parameter file, the attacker can open different files on the server.
An attacker might change the url and read different files. These can include system files:
http://webapp.dev/forum.php?file=/etc/passwd http://webapp.dev/forum.php?file=../../../../../etc/passwd http://webapp.dev/forum.php?file=/etc/shadow http://webapp.dev/forum.php?file=/etc/issue
So what, the attacker can read system files?
The attacker can get your username from /etc/passwd and your hashed password from /etc/shadow.
The hashed password can be cracked using crackstation, giving them full access to the server.
To prevent this as coder, always check and test user input (especially GET and POST variables)
The LFI vulnerability can also exist on other operating systems, but they store system files elsewhere.
To learn more about web hacking, you may like this course