Introduction

In certain instances, we need to grab the contents of files that are either on the local filesystem or remote locations. An example I can think of is a simple avatar/profile picture that gets stored on the local file system. Usually this doesn't happen anymore but it's easy to demonstrate our issue.

Make a connection

THE SERVER GETS ERASED EVERY 24 HOURS

• [ ] FTP connection: hackxpert.com
  • [ ] User: Training
  • [ ] Password: test
• [ ] Create a new file on the server
  • [ ] Use “nickname.php” for example “rat.php” where the nickname can be anything, as long as you can copy and paste it

Let's create an LFI

Create a file on the server with the following content. Name it anything you'd like, just remember the name for later.

<?php
$filePath = $_GET["field2_name"];
$url = $filePath;

$file = fopen($url, "r");
$filecontent = fread($file,filesize($url));

echo '<div class="comment">' . $filecontent . '</div>';

?>
<form id="comment_form" method="GET">
<input type="text" class="text_cmt" name="field2_name" id="file"/>
<input type="submit" name="submit" value="submit" id = "getData"/>
<input type='hidden' name='parent_id' id='parent_id' value='0'/>
</form>

Also create a file on the server named “test.txt” with any content as long as it’s not empty.

Let's hack it

We can easily hack this by requesting "test.txt"

Let's secure it

Securing this is very hard. We can give some general tips but it's usually best to follow our general tips in the next section.

Tips

• Preferably, do not allow the user to control any paths (Including hidden fields and parameters)
• If you must, only allow the user to enter part of the path and validate it properly
• These filters are best done on a white-list basis

Resources