-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathFile Inclusion
36 lines (18 loc) · 1.14 KB
/
File Inclusion
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
File Inclusion
Summary :An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.
Severity : High
Complexity : Easy
From : Remote / External
Steps to Reproduce:
1. Attacker identfies a vulnerable injection point (parameter)
2. Attacker tries to read and execute the internal file
3. Attacker is successfully able to perfrom File Inclusion Attack
Proof of Concept : Attached in the Video
Impact : An Adversary can carry out Directory Listing to gain sensitive information from the target server
Affected IP's : IP Address Port
https://www.example.com/ 443
Recommendations :
The application should have proper whitelist of files and ignore every other filename and path.
References :
https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/
Proof of Concept :