0
    <?php


    $v1 = array('delete.txt', 'undelete.txt');

    $filename = @$_GET['getfile'];

    if(isset($filename)) 
    {

    if (in_array($filename, $v1))
    {   
     include($filename);
    }

    else
    {
        include("index.php");
    }

    }


    ?>
    <html>
    <body>
    <title>
    Hack me</title>
    <link href="style.css" rel="stylesheet" type="text/css"/>

    <style>body {
        background-color: #C0C0C0;
    }
    </style>

    <table align="right"><td><a href="/dashboard/demoapp.php"><font size="5">Home</font></a></td></table>

    <img src="/dashboard/demo.jpg" width="500" height="100"><br><br><br>




</body>

    </html>

Is it possible to bypass this filter in LFI?

What I did here have I created an array and in that array, I allowed only two files. If in_array() did not find it it will include another one.

So Is it still vulnerable?

januu agrawal
  • 45
  • 1
  • 9
  • No but the code is poor/useless. – Lawrence Cherone Jan 10 '18 at 03:21
  • Why? Why is poor and useless? Please clarify it, so I improve it? – januu agrawal Jan 10 '18 at 03:27
  • 1. Suppressing errors, instead of checking it exists. Checking a variable after you know its set. 2. Including a text file above the head of the document, why would you want to do that? 3. No table tr just td's and whats with the `align="right"`?, 4. `` tag was deprecated like 10 years ago. 5. Formatting.. – Lawrence Cherone Jan 10 '18 at 03:33
  • Oh, I agreed, I agreed. this is my just a local website. Now, suppose I found LFI in my pentest and I want to mitigate it, Now through that work, as mentioned above, I can do that? In real-world scenarios? – januu agrawal Jan 10 '18 at 03:38
  • In a real world scenario you would structure the application so it does not do arbitrary includes based upon a parameter, instead let an autoloader decide based upon a class name or by a predefined routing mechanism. You can mitigate the attack by having a whitelist (like your doing) or define a folder which you load your files from and basename() the file name. – Lawrence Cherone Jan 10 '18 at 03:45
  • So we can mitigate the attack in real-world scenarios as I doing above? – januu agrawal Jan 10 '18 at 03:51
  • Yeah, if you define a whitelist your be fine. – Lawrence Cherone Jan 10 '18 at 03:55
  • Thank you very much @LawrenceCherone Nice talk ;) – januu agrawal Jan 10 '18 at 03:56

0 Answers0