Local File inclusion is when a website can access or serve files on its webserver’s local file system through its URL parameters. If the server does not sanitize and filter the requested parameter’s an attacker could possibly access any file on the webserver. This could lead to data exposure or even privilege escalation. Any time a parameter looks like it’s file related it could be an indication for file inclusion.
When we see a website access pages from a parameter like ?page=home, we can assume that each webpage might be an individual file being served directly from the web server’s file system. In this instance we can try directory traversal to access files on the webserver through this parameter.
Directory Traversal
Now that we have a parameter that appears to serve a file, we can attempt directory traversal to navigate the file system using ../ within the parameter in question. The ../ functions similarly to the cd ../ command in Linux, moving you back one directory from your current working directory.
On a Linux server, a website is typically served from the /var/www/html directory. To access the server’s root directory from the website’s root directory, you would need to traverse back three directories. For example: example.com?page=home is the websites root directory. If the URL were example.com/site?page=home, you would need to traverse back an extra directory, making it four directories in total.
Now let’s view the password file using directory traversal. The passwd file is stored in the /etc directory, which is accessed from the root directory on Linux. So, we would have to navigate back three directories to the root directory, and then to the /etc directory to access the passwd file. The ../ works just like cd ../ on Linux taking you back a directory from the one your currently in.
http://example.com?page=../../../etc/passwd
If the website wasn’t filtering out all directory traversal attempts, you should be able to see the web server’s passwd file. Note that the web server may not always be served from the same directory if configured differently, so we may have to traverse back more or fewer than three times. Note it’s always good to try traverse back several times instead of just three because the website may not always be served from the same directory.
Clear Up Confusion
Before we move any further, I want to go more into depth on identifying file inclusion on a website. When I first learned this, I was confused on the difference of what it looks like when a parameter is accessing an item from a database or a file from a server. So, let’s give some examples.
Accessing files from a parameter.
- http://example.com/view.php?file=example.txt
- http://example.com/index.php?page=home
- http://example.com/load.php?config=default
- http://example.com/index.php?language=en
Accessing database items from a parameter.
- http://example.com/user.php?id=123
- http://example.com/product.php?product_id=456
- http://example.com/search.php?query=books
Justifying The Means
This isn’t bulletproof but notice in the second list of examples that id is stated in the parameters; this is a good giveaway that the parameter is possibly accessing data from a database. Now notice in the first list how the parameters seem file related, it’s possible that these parameters are severing files from the servers local file system. Knowing this we could test for file inclusion on the parameters from the first list.