Thursday, 21 April 2011

Local File Incusion (LFI)

Local File inclusion is a common website hacking trick. This tutorial will show you how to exploit a website using LFI.
First of all, take a look on the given php code.

The above given code is generally used in many website by web developers which should not
be use because the $page isn't sanitized and is passed directly to the webpage. This code is used by hackers for LFI.

In general, you have seen many URL's like this
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted  the URL like this..
this mypage.php does not exists on the server so it will show a php error message on the webpage..

Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........

here we go..
we know this is vulnerable.

If this website is hosted on a unix server, then we might be able to do a directory transversal to the password file.

The etc/passwd is where the users/passwords are stored

try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.

then it means that the php code code is adding page extension manually. So php code is like this


in this case use for null extension at last.
and so on
after some effort you will be able to get the content of password file..

To understand the contents of 'passwd' file, visit

You can also view 


these files will also give you some useful informations of the server system.

Counter Measures

1. Use the latest web server software 
2. Effectively filter the user's input

No comments:

Post a Comment