In a Local File Inclusion (LFI) vulnerability, files local to the server are accessed by the include function without proper validation; that is, files containing server code are included in a page and their code is executed. This is a very practical feature for developers, as they can reuse code and optimize their resources. The problem arises when user-provided parameters are used to select the files to be included and when insufficient or no validation is made. Many people confuse an LFI flaw with the path traversal flaw. Although the LFI flaw often exhibits the same traits as the path traversal flaw, the application treats both the flaws differently. With the path traversal flaw, the application will only read and display the contents of the file. With the LFI flaw, instead of displaying the contents, the application will include the file as part of the interpreted code (the web pages making up the application) and execute it.
In the path traversal vulnerability explained earlier, we used the File Inclusion exercise from DVWA and actually did an LFI when we used ../../index.php as the parameter and the index.php page was interpreted as code. Nonetheless, including files that are already on the server and that serve a legitimate purpose for the application sometimes doesn't pose a security risk, unless an unprivileged user is able to include an administrative page. In the case where all pages on the server are innocuous, how can you as a penetration tester demonstrate that there is a security issue by allowing the inclusion of local files? You need to upload a malicious file and use it to exploit the LFI further.
The malicious file that we will upload is a webshell, which is a script that will run on the server that will let us execute operating system commands remotely. Kali Linux includes a collection of webshells in the /usr/share/webshells directory. For this exercise, we will use simple-backdoor.php (/usr/share/webshells/php/simple-backdoor.php).
Go to the File Upload exercise of DVWA, and upload the file. Note the relative path shown when the file is uploaded:
If the upload script is in /dvwa/vulnerabilities/upload/, relative to the web server root, according to the relative path shown, the file should be uploaded in /dvwa/hackable/uploads/simple-backdoor.php. Now go back to the File Inclusion exercise, and change the page parameter to ../../hackable/uploads/simple-backdoor.php:
OK, admittedly we do not get a spectacular result. Let's check the webshell's code:
You need to pass a parameter to the webshell with the command that you want to execute, but in file inclusion, the code of the included file is integrated with the file including it, so you can't just add ?cmd=command as the usage instructions say. Instead, you need to add a cmd parameter as if you were sending it to the including page:
http://10.7.7.5/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/simple-backdoor.php&cmd=uname+-a
You can also chain multiple commands in a single call using ; (the semicolon) as a separator:
http://10.7.7.5/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/simple-backdoor.php&cmd=uname+-a;whoami;/sbin/ifconfig
