In this lab, you will learn about local file inclusion (LFI) vulnerabilities in web applications. The goal is to understand what LFI is, how it can be exploited, and how to prevent it. The lab provides a hands-on environment where you can practice exploiting and mitigating LFI vulnerabilities.
In this step, you will learn about the concept of local file inclusion vulnerabilities.
Local file inclusion (LFI) is a type of vulnerability that occurs when a web application includes files from the local file system based on user input. If the application does not properly sanitize the user input, an attacker can craft a malicious input to include arbitrary files on the server, potentially revealing sensitive information or executing malicious code.
Here's an example of a vulnerable PHP code:
<?php
$file = $_GET['page'];
include($file);
?>In this code, the $file variable is assigned the value of the page parameter from the URL query string. The include function then includes the file specified by $file. If an attacker can control the value of $file, they can potentially include any file on the server's file system.
In this step, you will learn how to exploit a local file inclusion vulnerability.
The lab environment provides a vulnerable web application called DVWA (Damn Vulnerable Web Application). You will use this application to practice exploiting LFI vulnerabilities.
sudo virsh start Metasploitable2.http://192.168.122.102/dvwa.admin, password: password)./etc/passwd file by entering ../../../../../../etc/passwd in the "Page" field.You should see the contents of the /etc/passwd file displayed on the web page.
In this step, you will learn how to mitigate local file inclusion vulnerabilities.
One way to mitigate LFI vulnerabilities is to sanitize user input by removing or encoding any path traversal sequences (e.g., ../, ..\\). This can be done using input validation and filtering techniques.
Here's an example of how to sanitize user input in PHP:
<?php
$file = str_replace('../', '', $_GET['page']);
$file = str_replace('..\\', '', $file);
include($file);
?>In this code, the str_replace function is used to remove any occurrences of ../ and ..\\ from the $file variable before including the file.
Another mitigation approach is to use a whitelist of allowed files instead of allowing arbitrary file inclusion. This can be done by explicitly specifying the list of files that can be included.
<?php
$allowed_files = array('file1.php', 'file2.php', 'file3.php');
if (in_array($_GET['page'], $allowed_files)) {
include($_GET['page']);
} else {
echo 'Invalid file requested';
}
?>In this code, the in_array function checks if the requested file ($_GET['page']) is present in the $allowed_files array. If the file is allowed, it is included; otherwise, an error message is displayed.
In this lab, you learned about local file inclusion (LFI) vulnerabilities in web applications. You understood the concept of LFI and how it can be exploited by including arbitrary files on the server. You practiced exploiting an LFI vulnerability in a vulnerable web application and including sensitive system files. Additionally, you learned two methods to mitigate LFI vulnerabilities: input sanitization and whitelisting allowed files. By completing this lab, you gained practical experience in identifying, exploiting, and mitigating LFI vulnerabilities, which is a crucial skill in web application security.