LFI (Local File Inclusion)
This is where you read local files by directly calling it's location.
Vulnerability Name: Local File Inclusion on [Parameter] at [Domain name]
Vulnerability Description: An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.
Steps to Reproduce:
- 1.Go to the [URL].
- 2.Change the value of [param] to the above payload.
- 3.Check the response and you will see the content of the mentioned file.
Snapshots or video link attached.
- 1.An attacker can read any files from the server.
- 2.An attacker might able to execute system commands.
Attack Scenario: Here due to an unsafe parameter and poor user input validation an attacker can read system files by calling them through the [parameter]. This sometimes may lead to Command injection.
Remediation: To avoid LFI and many other vulnerabilities, never trust user input. If you need to include local files in your website or web application code, use a whitelist of allowed file names and locations. Make sure that none of these files can be replaced by the attacker using file upload functions.