LFI, RCE, RFI, Local file inclusion in a web app, Remote code execution in a web app, LFI to RCE.
Abstract
Web applications are designed to present to any user with a web browser a system-independent interface to some dynamically generated content. By my analysis over the last several years, web applications and their importance have increased. Simultaneously of growing web applications, the quantity and impact of security vulnerabilities in such applications have grown as well. The application may be designed with the acceptance that users will only enter valid data as the programmer deliberate, in terms of both data and ways of entering input. However, if the user's input is not handled properly, serious security problems can eventuate. There are possible separate methods that can be used to trigger the execution of code on both the client and the server-side. LFI attack reveals the sensitive information of the server by simply adding some extra payloads in URLs or requests. LFI attacks lead to password files configuration files and some of the sensitive files of the systems. RCE execute/upload malicious script in the server that leads to the access control of the system. In this paper, we show how we can perform RCE through LFI.
