As a security researcher, I constantly test websites for flaws that hackers might use against them. A Local File Inclusion (LFI) flaw that could let an attacker access private files and data on the website’s server was found by me during a recent examination of the XYZ website.
What is an LFI vulnerability?
A particular kind of online application vulnerability known as an LFI vulnerability enables an attacker to embed files from the web server on a user-requested page. Attackers can exploit this to access private data and files that shouldn’t be made available to the general public.
How to identify a website’s LFI vulnerability
I’m trying out the target.com website. as I navigate to the subsequent page, I note that the URL is target/index.php?page=hem.php.
Now i try to change the directory, so i add some simple LFI payloads
../../../etc/passwd
but the payload is not worked
I tried other encoded payloads, but they didn’t work.
after some try, I found the right payload.
the payload is
..//..//..//..//..//..//..//etc//shadow
WOW😁 Now you can see the shadow file.
“I hope this blog post has been informative and helpful. Remember, website security is everyone’s responsibility!”
HAPPY HACKING!