DEV Community

Cover image for Hacking: Local File Inclusion
BigCoder
BigCoder

Posted on

2

Hacking: Local File Inclusion

Linux is a widely popular system for hosting web apps. It's users often think that by using Linux on a server, that it is secure.

But, just because you use Linux on your server and are good at the shell commands, does not mean your web app is secure. Sure you may know how to use vim, but neither that will stop a hacker.

LFI (or File Inclusion) is a common vulnerability in web appps that provides access to files on the server in question. This allows an attacker to read files and sometimes to create or modify files on the target web server.

In this article I will explain a vulnerability known as local file inclusion (LFI) and how this hack is carried out.

LFI explained

With many server side programming languages, you can include files. In php that is often done with:

  • include
  • require
  • include_once
  • require_once

Lets say a web app has a parameter that lets you specify the file. The web app url can look like this:

http://webapp.dev/forum.php?file=myCV.pdf

And the code like this:

<?php
    include($_GET["file"]);
?>
Enter fullscreen mode Exit fullscreen mode

By changing the url parameter file, the attacker can open different files on the server.

Give me an example

An attacker might change the url and read different files. These can include system files:

http://webapp.dev/forum.php?file=/etc/passwd
http://webapp.dev/forum.php?file=../../../../../etc/passwd
http://webapp.dev/forum.php?file=/etc/shadow
http://webapp.dev/forum.php?file=/etc/issue
Enter fullscreen mode Exit fullscreen mode

So what, the attacker can read system files?

The attacker can get your username from /etc/passwd and your hashed password from /etc/shadow.

The hashed password can be cracked using crackstation, giving them full access to the server.

To prevent this as coder, always check and test user input (especially GET and POST variables)

The LFI vulnerability can also exist on other operating systems, but they store system files elsewhere.

To learn more about web hacking, you may like this course

Sentry blog image

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

Read more

Top comments (0)

Cloudinary image

Video API: manage, encode, and optimize for any device, channel or network condition. Deliver branded video experiences in minutes and get deep engagement insights.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay