LFGA Web

RFI LFI - Learning Section

LFI

First, let's see what is LFI.

The first definition is here.

We now have some information, let's complement it with this other blog. This is a real cool blog, visit it from time to time if you want to learn something new.

The LFI article is here: Local File Inclusion (LFI) - What is LFI and how to deal with it.

Now you know:

RFI

In RFI we are only going to concentrate on the theoretical part since they are very rarely presented in a CTF. So we are only going to see an article where they explain what is needed to understand this vulnerability a bit. What is the Remote File Inclusion vulnerability?

Now you know:

LFI vs RFI

Now, if the difference between these two vulnerabilities is not clear enough we can find a nice article explaining the difference here.

Burpsuite

Burpsuite can help us a lot to identify and exploit this vulnerability. The Portswigger academy shows us in this tutorial how to use the repeater to exploit LFI.

We also know how to use the intruder so why don't we just include a payload list like this one and let the intruder do the job.

Now you know:

PayloadsAllTheThings

Always remember when you face a challenge, you can always check payloadallthethings as it has many pre-made examples and payloads. Here the file inclusion section.

TryHackMe

To finish off with this section, let's do a guided room before you go ahead to the challenge section. In this wonderful room you are going to review some theoretical information, exploit a basic LFI, exploit an LFI using Directory Traversal and finally use the Log Poisoning technique to gain a reverse shell from LFI vulnerability.

LFI Basics

Really try to take advantage of this room, it is very well designed to learn and remember to add everything to your notes, see you in the challenges section.


Challenge Section >>