A LFI attack aims to access files and directories that are stored outside the Web-root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system file.
Its severity based on what information is stolen. A successful LFI attacks leads to XSS and RCE. Whenever application takes file path input that time attacker try to inject malicious shell to execute their script. So why it happens because web-application allows submitting input into files or upload files to the server.
Now if in the above case if server is running with high privileges, attacker is able to get sensitive information from the server. For traversal we used ‘../’ characters, the number of ‘../’ sequences depend on the configuration and location of the target web server on the victim machine.
Types of inclusion:
RFI: When web application downloads and executes a remote file. For RFI 2 functions should be enabled in PHP’s configuration file.
· allow_url_fopen
· allow_url_include
This usually doesn’t happens because most of the server disabled these functions by default.
LFI: Same as RFI but here we do not include remote files.
Working:
· Attacker inserts payload to web application.
· As web application does not have any validation web application process that payload.
· So now attacker gets the output with the file he want to fetch from the server.
