Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ishanoshada/lfi
A side note about LFI and Leaking the php source of some sites
https://github.com/ishanoshada/lfi
blue-team cyber-security cybersecurity lfi owasp web-attack
Last synced: 3 months ago
JSON representation
A side note about LFI and Leaking the php source of some sites
- Host: GitHub
- URL: https://github.com/ishanoshada/lfi
- Owner: Ishanoshada
- License: gpl-3.0
- Created: 2024-04-06T18:45:57.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2024-04-13T11:13:38.000Z (10 months ago)
- Last Synced: 2024-04-13T23:52:58.827Z (10 months ago)
- Topics: blue-team, cyber-security, cybersecurity, lfi, owasp, web-attack
- Language: PHP
- Homepage:
- Size: 393 KB
- Stars: 4
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# 🛡️ LFI Vulnerability Repository
Welcome to the LFI Vulnerability repository! This comprehensive guide will provide you with everything you need to understand, explore, and mitigate Local File Inclusion (LFI) vulnerabilities in web applications. Whether you're a cybersecurity enthusiast, a web developer, or simply curious about web security, this repository is your ultimate resource.
Give us a ⭐️ if you find this project helpful!
## 🚀 Dive into the World of LFI Vulnerabilities
Local File Inclusion (LFI) is a critical security vulnerability that occurs when a web application improperly includes files on a server through the web browser. This oversight can lead to severe consequences, including unauthorized access to sensitive files, execution of malicious code, and compromise of the entire web application.
## 🎯 What's Inside?
1. **Example Vulnerable Code**: Get hands-on experience with real-world vulnerable PHP code, showcasing how LFI vulnerabilities can be exploited.
2. **Mitigation Strategies**: Learn best practices for mitigating LFI vulnerabilities, including input validation, whitelisting, and secure coding practices.
3. **Advanced LFI Methods**: Explore advanced techniques used by attackers to exploit LFI vulnerabilities, such as directory traversal and PHP wrapper manipulation.
4. **Example Usage**: Test your skills by using example URLs to exploit LFI vulnerabilities in simulated web applications.
5. **Vulnerable Websites**: Explore real websites with LFI vulnerabilities, along with example URLs for testing and learning purposes.
## 🛠️ Example Vulnerable Code
```php
```
```php
```
In the updated code, we have introduced an array `$allowed_files` containing the names of files that are allowed to be accessed. Before serving the requested file, we check if it exists in the `$allowed_files` array. If it does, the file is served; otherwise, an error message is displayed. This approach helps mitigate the risk of LFI vulnerabilities by restricting access to only whitelisted files.
## 🛡️ Mitigation Strategies
Implement robust mitigation strategies to safeguard your web applications against LFI vulnerabilities:
- Validate and sanitize user input rigorously.
- Whitelist allowed file paths to restrict access.
- Utilize file system permissions and access controls.
- Implement Content Security Policies (CSP) to mitigate risks.
## 🔍 Advanced LFI Methods
Discover advanced techniques employed by attackers to exploit LFI vulnerabilities:
1. **Directory Traversal**: Navigate through file systems to access sensitive files.
2. **Null Byte Injection**: Bypass file extension checks using null byte injections.
3. **PHP Wrapper Manipulation**: Exploit PHP wrappers to include remote files or execute arbitrary code.
## 🚀 Example Usage
Explore LFI vulnerabilities in action:
```
http://example.com/download.php?file=/etc/passwd
```
## 🌐 Vulnerable Websites
Discover real-world websites with LFI vulnerabilities for testing and learning:
```
/bmes.lk/...
/daph.cp.gov.lk/...
/idcards.ru/...
/transfer78.ru/...
/ijcrt.org/...
/gsmtech.in/...
/lepide.com/...
/shafriri.co.il/...
/boat.rides.lk/...
--/taxi.rides.lk/...
/minams.edu.pk/...+ db
/woomyoung.co.kr/...
```
Explore the source code of these vulnerable websites to understand how LFI vulnerabilities can be present in real-world web applications. Remember to use them for educational and research purposes only.
🔍 **Google Dorks**: [intitle:"Index of /" + "download.php"](https://github.com/Ishanoshada/GDorks/tree/main/LFI)
Use Google Dork to discover more websites with potential LFI vulnerabilities. However, exercise caution and adhere to ethical guidelines when exploring and testing vulnerable websites.
## 🤝 Contributing
Contributions are welcome! If you have additional examples, mitigation strategies, or improvements, feel free to submit a pull request and join the community effort to enhance web security awareness.
## 📝 License
This repository is licensed under the GPL-3.0 license. See the [LICENSE](LICENSE) file for details.
---
**Repository Views** 
Thank you for exploring the LFI Vulnerability Examples repository. Let's work together to strengthen web security and protect against cyber threats. Happy coding and stay secure! 🛡️🌐