Web 3: Local File Inclusion
by Audrey Emis
The Linux File System has some built in directories that every directory (even seemingly empty ones) have! . represents the current directory and ../ represents the parent directory. Some web apps take file paths as inputs from users, which can lead to sensitive data being uncovered if the user puts in the right input. They can use "../" to get to parent directories, all the wayup to the root directory, where many more files are accessible. This vulnerability is caused by weak input sanitization or other interesting loopholes in the code. Today, we'll learn about LFI and work through some challenges that cover different LFI techniques!
Slides
Challenges
We'll be working on the following challenges on platform.acmcyber.com
- Challenge 1 -
web/happy-halloween - Challenge 2 -
web/potluck - Challenge 3 -
web/book-store - Challenge 4 -
web/stealing-favorite-animal-flag - Challenge 5 -
web/the-modern-file-explorer-1 - Challenge 6 -
web/the-modern-file-explorer-2 - Challenge 7 -
web/the-modern-file-explorer-3 - Challenge 8 -
web/the-modern-file-explorer-4 - Challenge 9 -
web/the-modern-file-explorer-5
Resources
The following are great resources for learning about LFI, mitigations, and bypasses.
- Portswigger's Path Traversal Lesson: Portwigger is a great resource for all kinds of web security. There are explanations and challenges for LFI at this link.
- HackTricks File Inclusion/Path Traversal: Great post that explains common LFI techniques and how to bypass certain mitigations.