Local File Inclusion (LFI) is exploited by including a file path in the URL that points to the local web server that hosts the web application. This vulnerability, when exploited, will allow directory traversal characters (such as dot-dot-slash) to be injected.
Consider the following example:
http://domain_name/index.php?file=hackme.html
What if I can change the hackme file to another file on the web server system? Let's check it out!
http://domain_name/index.php?file=../../../../etc/passwd
Interesting, right? This will load the passwd file on a Linux Web Server. Let's see a more concrete example using Mutillidae:
- Browse to the Mutillidae homepage and select OWASP 2017 from the left menu, then Broken Access Control | Insecure Direct Object References, and after that, click on Arbitrary File Inclusion:
- Look at the URL, do you see the same pattern that we just saw together?
- Let's try to see whether we can display a file from the server:
Voila! I just exploited this vulnerability. Now, try it yourself.