Local File Inclusion Exploitation With Burp

26 Dec

Local file inclusion is a vulnerability that allows the attacker to read files that are stored locally through the web application.This happens because the code of the application does not properly sanitize the include() function.So if an application is vulnerable to LFI this means that an attacker can harvest information about the web server.Below you can see an example of PHP code that is vulnerable to LFI.

Vulnerable Code to LFI

Vulnerable Code to LFI


In this article we will use the mutillidae as the target application in order to exploit the local file inclusion flaw through Burp Suite.As we can see and from the next screenshot the user can select the file name and he can view the contents of this just by pressing the view file button.

Location of LFI on the Web Application

Location of LFI on the Web Application


So what we will do is that we will try to capture and manipulate the HTTP request with Burp in order to read system files.

Capturing the HTTP Request

Capturing the HTTP Request


As we can see from the above request,the web application is reading the files through the textfile variable.So we will try to modify that in order to read a system directory like /etc/passwd.In order to achieve that we have to go out of the web directory by using directory traversal.

HTTP Request Modification - /etc/passwd

HTTP Request Modification – /etc/passwd


We will forward the request and now we can check the response on the web application as the next image is showing:

Reading the /etc/passwd

Reading the /etc/passwd


We have successfully read the contents of the /etc/passwd file.Now with the same process we can dump and other system files.Some of the paths that we might want to try are the following:

  • /etc/group
  • /etc/hosts
  • /etc/motd
  • /etc/issue
  • /etc/mysql/my.cnf
  • /proc/self/environ
  • /proc/version
  • /proc/cmdline
/etc/group contents

/etc/group contents


etc/hosts contents

etc/hosts contents





/etc/issue contents

/etc/issue contents


mysql configuration file

mysql configuration file






/proc/version contents


/proc/cmdline contents

/proc/cmdline contents



As we saw the exploitation of this vulnerability doesn’t require any particular skill but just knowledge of well-known directories for different platforms.An attacker can discover a large amount of information for his target through LFI just by reading files.It is an old vulnerability which cannot be seen very often in modern web applications.


Posted by on December 26, 2012 in Web Application


Tags: , ,

7 responses to “Local File Inclusion Exploitation With Burp

  1. infinity432

    December 26, 2012 at 3:21 pm

    There’s more to LFI than just reading files. What about following up the post with how to gain a shell?

  2. netbiosX

    December 26, 2012 at 3:32 pm

    Good suggestion infinity432!I will update the post!

  3. Concerned-PHP-Programmer

    December 27, 2012 at 12:30 am

    This is a brilliant article, I really like the code example that clearly demonstrates exactly where local file inclusion vulnerabilities occur. I am glad I read this because I have always used a lot of variable assignments in my code, especially taking values from the $_GET array, and now I will not do this anymore.

    Do you have any advice for PHP programmers on how to set variables from user input without causing LFI vulnerabilities?

  4. Digit Oktavianto

    December 28, 2012 at 6:44 pm

    @Command-PHP-Progammer :

    Maybe you should read the OWASP Guidelines. They give a brief explanation in the documentation.

  5. Frenki

    January 5, 2013 at 10:25 pm

    $file = $_GET[‘page’];
    And how exactly is this vulnerable to LFI?

  6. netbiosX

    January 7, 2013 at 12:27 am

    @Frenki It is vulnerable because PHP is reading from a file that is stored on the local machine and then it displays it on the web page.This means that you can request for other files that are stored locally (for example /etc/passwd) to be displayed on the web application.

    • Frenki

      January 7, 2013 at 12:37 am

      I am fairly sure you need at least an include() or require() ( or _once() parts), or file_get_contents (read only) to include or read anything.

      $file = $_GET[‘page’];
      will only assign value of GET[‘page’] to $file variable. Am I missing something?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: