Local file inclusion

Local file inclusion is a vulnerability where publicly inaccessible files on a server are leaked

Vulnerability

If untrusted user input used to determine which file is read by an application, a LFI vulnerability may occur.

Here's an example Flask application that's vulnerable to LFI:

@app.route('/article', methods=['GET'])
def article():
    if 'name' in request.args:
        page = request.args.get('name')
    else:
        page = 'article'

    try:
        template = open(f'./articles/{page}').read()
    except Exception as e:
        template = e

    return render_template('article.html', template=template)

The user controls the page variable via the name query parameter.
By setting the name query parameter to ../../../../<file>, an attacker can read files outside the intended articles directory.

Exploitation

Files of interest:

• /etc/passwd: Probably the first thing to check
• /proc/self/environ: Environment variables
• /proc/self/cmdline: Get what command the process was run with (can expose absolute path)
• Source code for the program
• Dockerfile
• /etc/hosts: Is it running in docker?
• ~/.bashrc, ~/.bash_history
• ~/.ssh/config, ~/.ssh/id_rsa

PHP Stuff

• Base64 encode: php://filter/convert.base64-encode/resource=<file> (Helpful to read source code of PHP files without executing)
• expect://: Probably won't work, but nice RCE
• Can RCE using sessions: https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
• Might also be able to include /var/log/apache/access.log or nginx logs (see HTB)

Python

• os.path.join("anything","/") == "/"