Linux is a widely popular system for hosting web apps. It's users often think that by using Linux on a server, that it is secure.
But, just because you use Linux on your server and are good at the shell commands, does not mean your web app is secure. Sure you may know how to use vim, but neither that will stop a hacker.
LFI (or File Inclusion) is a common vulnerability in web appps that provides access to files on the server in question. This allows an attacker to read files and sometimes to create or modify files on the target web server.
In this article I will explain a vulnerability known as local file inclusion (LFI) and how this hack is carried out.
LFI explained
With many server side programming languages, you can include files. In php that is often done with:
- include
- require
- include_once
- require_once
Lets say a web app has a parameter that lets you specify the file. The web app url can look like this:
http://webapp.dev/forum.php?file=myCV.pdf
And the code like this:
<?php
include($_GET["file"]);
?>
By changing the url parameter file, the attacker can open different files on the server.
Give me an example
An attacker might change the url and read different files. These can include system files:
http://webapp.dev/forum.php?file=/etc/passwd
http://webapp.dev/forum.php?file=../../../../../etc/passwd
http://webapp.dev/forum.php?file=/etc/shadow
http://webapp.dev/forum.php?file=/etc/issue
So what, the attacker can read system files?
The attacker can get your username from /etc/passwd and your hashed password from /etc/shadow.
The hashed password can be cracked using crackstation, giving them full access to the server.
To prevent this as coder, always check and test user input (especially GET and POST variables)
The LFI vulnerability can also exist on other operating systems, but they store system files elsewhere.
To learn more about web hacking, you may like this course
Top comments (0)