A Web application is actually a directory in the operating system, and this directory also contains some other directories and files. Under normal circumstances, when users use a browser to access a web application, they can only access the content in the directory corresponding to the web application. However, if the Web application has the function of operating files and there are no strict restrictions, it will cause the client to access files outside the Web directory and thus access other files in the server operating system. This situation is generally called local File inclusion (Local File Inclusion, LFI, also known as directory traversal) vulnerability. If the web server is not configured securely and is being run by a high-privileged user, cyber attackers may be able to obtain sensitive information.
Correspondingly, there is a Remote File Inclusion (RFI) vulnerability, which allows web applications to load files located on other web servers. However, this kind of vulnerability mainly exists in Web applications written in PHP language, and basically does not appear in applications written in JSP, ASP.NET and other languages.
File inclusion and command injection are like twin vulnerabilities, both caused by permission expansion of web applications. Command injection uses a web application to execute system commands, while file inclusion accesses system directories. These two vulnerabilities mainly exist in web applications written in PHP language, but their generation mechanisms have reference significance for all web applications.
1. File contains vulnerability introduction
If a web application has a local file inclusion vulnerability, hackers may construct malicious URLs to read files in non-web directories (the consequences will be more serious in a PHP environment).
As shown in the figure below, under normal circumstances, the range that users can access through the browser is limited to the www directory, and they cannot access other directories in the server operating system.