![]() ![]() ![]() However, it isn't very often that you see any articles or blog posts that discuss files to access within Windows in the case that a LFI vulnerability is discovered within an application on a Windows Server. In many different examples throughout the web you will see articles discussing LFI in regards to accessing files within Linux, such as accessing ‘/etc/passwd,' or log files within ‘/var/log,' or a user's Bash history ‘/home//.bash_history.' An example of accessing /etc/passwd within a web application is shown in Figure 1. Very often when talking about LFI you are talking about utilizing Directory Traversal (‘./') to move up from the WebRoot directory to access local files. Per OWASP, "Local File Inclusion (LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application." Taking a look at that definition, what does it really mean? Essentially, it states that through some means someone may be able to access files on your local system through your application. ![]() For more information, check out the training page at First things first, I think it's important to define this topic. This is the 5th in a series of blog topics by penetration testers, for penetration testers, highlighting some of the advanced pentesting techniques they'll be teaching in our new Network Assault and Application Assault certifications, opening for registration this week. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |