LFI Bypass Techniques

TL;DR

Local File Inclusion (LFI) vulnerabilities allow attackers to include files on a server. Filters often block common paths, but there are ways around them. This guide shows techniques to bypass these filters and read sensitive files.

Understanding LFI & Filters

LFI happens when an application uses user-supplied input directly in a file inclusion function (like include() or require() in PHP). Filters try to prevent access to restricted areas of the filesystem. Common filters block characters like ../, slashes (/), and potentially null bytes (%00).

Bypass Techniques

1. URL Encoding:

• Filters might not decode URL-encoded characters. Try encoding forward slashes as %2f, dots as %2e and double dots as %2e%2e.
• Example: Instead of ../etc/passwd try %2e%2e%2fetc%2fpasswd.

Double URL Encoding:

• Some filters decode only once. Double encoding (encoding the already encoded characters) can bypass this.
• Example: %252e%252e%252fetc%252fpasswd

Trailing Slashes and Dot-Dot Slicing:

• Sometimes, adding a trailing slash can help. /var/log/../etc/passwd/ might work when ../etc/passwd is blocked.
• Another variation: /var/log/...//../etc/passwd

Null Byte Injection (%00):

• In older PHP versions (before 5.3.4), a null byte could terminate the string, ignoring anything after it.
• Example: /var/log/apache2/access.log%00. This would read only /var/log/apache2/access.log.

Path Variable Manipulation:

• If the application uses environment variables in file paths, try manipulating them. This is less common but can be effective.

Wrapper Functions (PHP):

• PHP has various wrapper functions that can bypass filters:
• php://filter: Allows you to apply filters to the file content. Not directly for bypassing path restrictions, but useful after reading a file.
• data://: Allows embedding data directly in the URL (less relevant for LFI).
• phar://: Can be used to create and include archives; complex bypasses are possible.

Using Alternative Path Representations:

• Try using symbolic links if they exist on the server.
• If the application uses a different path representation (e.g., UNC paths on Windows), explore those options.

Log File Poisoning:

• If you can inject data into log files that are later included, you can include your own malicious content. This is an indirect LFI bypass.

Example PHP Code (Vulnerable)

Important Considerations

• Server Configuration: The effectiveness of these techniques depends heavily on the server’s operating system, PHP version, and configuration.
• Error Messages: Pay attention to error messages; they can reveal valuable information about the filtering rules in place.
• File Permissions: Even if you bypass the filter, you still need appropriate file permissions to read the target file.