SasanLabs · Ivan12273 · Jul 1, 2021 · Jul 3, 2021 · Jul 4, 2021 · preetkaran20
diff --git a/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java b/src/main/java/org/sasanlabs/service/vulnerability/lfi/LFIVulnerability.java
@@ -0,0 +1,106 @@
+package org.sasanlabs.service.vulnerability.lfi;
+
+import static org.sasanlabs.vulnerability.utils.Constants.NULL_BYTE_CHARACTER;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import java.util.Scanner;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.sasanlabs.internal.utility.GenericUtils;
+import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.annotations.AttackVector;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
+import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
+import org.sasanlabs.service.vulnerability.pathTraversal.PathTraversalVulnerability;
+import org.sasanlabs.vulnerability.types.VulnerabilitySubType;
+import org.sasanlabs.vulnerability.types.VulnerabilityType;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@VulnerableAppRestController(
+        descriptionLabel = "URL_BASED_LFI_INJECTION",
+        value = "LocalFileInclusion",
+        type = {VulnerabilityType.LFI})
+public class LFIVulnerability {
+
+    private static final transient Logger LOGGER =
+            LogManager.getLogger(PathTraversalVulnerability.class);
+
+    private static final String URL_PARAM_KEY = "file";
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_1,
+            descriptionLabel = "LFI_URL_PARAM_BASED_DIRECT_INJECTION",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecure(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        if (queryParameterURL != null) {
+            try {
+                File file =
+                        new File(
+                                "src/main/java/org/sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                data =
+                        data
+                                + "<a href='/VulnerableApp/LocalFileInclusion/LEVEL_2'>go to LEVEL_2</a>";
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        }
+
+        return new ResponseEntity<>(
+                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
+                HttpStatus.OK);
+    }
+
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilitySubType.LFI,
+            description = "LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_2,
+            descriptionLabel = "LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE",
+            htmlTemplate = "LEVEL_1/LFI")
+    public ResponseEntity<String> getVulnerablePayloadLevelUnsecureLevel2(
+            @RequestParam Map<String, String> queryParams) {
+        StringBuilder payload = new StringBuilder();
+        String queryParameterURL = queryParams.get(URL_PARAM_KEY);
+        if (queryParameterURL != null && queryParameterURL.contains(NULL_BYTE_CHARACTER)) {
+            try {
+                queryParameterURL = queryParameterURL.replace(NULL_BYTE_CHARACTER, "");
+                File file =
+                        new File(
+                                "src/main/java/org/"
+                                        + "sasanlabs/service/vulnerability/lfi/"
+                                        + queryParameterURL);
+                Scanner reader = new Scanner(file);
+                String data = "";
+                while (reader.hasNextLine()) {
+                    data = data + reader.nextLine();
+                }
+                payload.append(data);
+                reader.close();
+            } catch (IOException e) {
+                LOGGER.error("Following error occurred:", e);
+            }
+        }
+
+        return new ResponseEntity<>(
+                GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString()),
+                HttpStatus.OK);
+    }
+}
diff --git a/src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt b/src/main/java/org/sasanlabs/service/vulnerability/lfi/secretFiles/passwords.txt
@@ -0,0 +1,6 @@
+<h2>TOP SECRET PASSWORDS</h2>
+
+<p>USER1:PQOAJ231</p>
+<p>USER2:DKAO1020</p>
+<p>USER3:CMVNP325</p>
+
diff --git a/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java b/src/main/java/org/sasanlabs/vulnerability/types/VulnerabilitySubType.java
@@ -41,7 +41,10 @@ public enum VulnerabilitySubType {
     NULL_BYTE(VulnerabilityType.NULL_BYTE),
 
     // XXE Vulnerability
-    XXE(VulnerabilityType.XXE);
+    XXE(VulnerabilityType.XXE),
+
+    // LFI Vulnerability
+    LFI(VulnerabilityType.LFI);
 
     private VulnerabilityType vulnerabilityType;
 

diff --git a/src/main/resources/i18n/messages.properties b/src/main/resources/i18n/messages.properties
@@ -203,9 +203,29 @@ COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26
 
 
 # Local File Injection
-#URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
-#LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
-#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+URL_BASED_LFI_INJECTION=LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.\
+ An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. \
+An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). \
+Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input \ \
+as trusted, a local file may be used in the include statement. \
+<br/><br/> Important Links on LFI : \
+ <ol> \ <li><a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion" target="_blank">\
+  Testing for Local File Inclusion \</a> \
+   <li><a \
+       href="https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/local-file-inclusion/" target="_blank"> \
+       Local File Inclusion by netsparker </a> \
+ </ol>
+LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+#### AttackVector description
+LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
+inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
+the attacker to see its content.
+LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE=The null character is a control character with the value zero present in \
+many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after \
+this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
+appending it to the requested path, this would ignore the file's extension being added to the input filename, \
+returning to an attacker the file information as a result of a successful exploitation.
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.

diff --git a/src/main/resources/i18n/messages_en_US.properties b/src/main/resources/i18n/messages_en_US.properties
@@ -203,9 +203,29 @@ COMMAND_INJECTION_URL_PARAM_DIRECTLY_EXECUTED_IF_SEMICOLON_SPACE_LOGICAL_AND_%26
 
 
 # Local File Injection
-#URL_BASED_LFI_INJECTION=Url based Local File Injection attack.
-#LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
-#LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+URL_BASED_LFI_INJECTION=LFI vulnerabilities allow an attacker to read (and sometimes execute) files on the victim machine.\
+ An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. \
+An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). \
+Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input \ \
+as trusted, a local file may be used in the include statement. \
+<br/><br/> Important Links on LFI : \
+ <ol> \ <li><a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion" target="_blank">\
+  Testing for Local File Inclusion \</a> \
+   <li><a \
+       href="https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/local-file-inclusion/" target="_blank"> \
+       Local File Inclusion by netsparker </a> \
+ </ol>
+LFI_URL_PARAM_BASED_DIRECT_INJECTION=Url Parameter \"fileName\" is directly passed to the include file.
+LFI_URL_PARAM_BASED_INJECTION_WITH_VALIDATION_ON_FILE=Url Parameter \"fileName\" is validated and passed to include file.
+#### AttackVector description
+LFI_URL_DIRECT_INJECTION=If the developer fails to implement sufficient filtering an attacker could exploit the local file \
+inclusion vulnerability by replacing the path with another path of a sensitive file such as a password file, allowing \
+the attacker to see its content.
+LFI_URL_DIRECT_INJECTION_WITH_VALIDATION_ON_FILE=The null character is a control character with the value zero present in \
+many character sets that is being used as a reserved character to mark the end of a string. Once used, any character after \
+this special byte will be ignored. Commonly the way to inject this character would be with the URL encoded string %00 by \
+appending it to the requested path, this would ignore the file's extension being added to the input filename, \
+returning to an attacker the file information as a result of a successful exploitation.
 
 # Local File Injection with Null Byte
 #URL_WITH_NULL_BYTE_BASED_LFI_INJECTION=Url with Null Byte Injection based Local File Injection attack.

diff --git a/src/main/resources/static/images/GitHub-Mark-32px.png b/src/main/resources/static/images/GitHub-Mark-32px.png
diff --git a/src/main/resources/static/index.html b/src/main/resources/static/index.html
@@ -22,7 +22,7 @@
 		<!-- TODO Add active to mode when clicked-->
 		<div class="navbar navbar-item">
 			<div class="navbar-item-menu active" id="home">
-				<a href="/">Home</a>
+				<a href="/VulnerableApp">Home</a>
 			</div>
 			<div class="navbar-item-menu" id="about">
 				<a href="#about">About Us</a>
@@ -31,7 +31,7 @@
 				Mode
 			</div>
 			<div class="navbar-item-menu">
-				<a href="https://github.com/SasanLabs/VulnerableApp" target="_blank"><img src="/images/GitHub-Mark-32px.png" /></a>
+				<a href="https://github.com/SasanLabs/VulnerableApp" target="_blank"><img src="images/GitHub-Mark-32px.png" /></a>
 			</div>
 		</div>
 	</div>
@@ -86,8 +86,8 @@ <h2>How can Vulnerability Scanning Tools use VulnerableApp?</h2>
 				<br/>
 				<b>Following are the endpoints exposed: </b>
 				<ol>
-				<li><a href="/scanner">Scanner Endpoint</a></li>
-				<li><a href="/sitemap.xml">SiteMap Endpoint</a></li>
+				<li><a href="/VulnerableApp/scanner">Scanner Endpoint</a></li>
+				<li><a href="/VulnerableApp/sitemap.xml">SiteMap Endpoint</a></li>
 				</ol>
 
 				<b>Scanner Endpoint</b><br/>

diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.css
@@ -0,0 +1,6 @@
+#LFI_level_1 {
+    color: black;
+    text-align: left;
+    font-size: 18px;
+    font-weight: normal;
+}
diff --git a/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html b/src/main/resources/static/templates/LocalFileInclusion/LEVEL_1/LFI.html
@@ -0,0 +1,17 @@
+<div id="LFI_level_1">
+    <div>
+        Local file inclusion (also known as LFI) is the process of including files,
+        that are already locally present on the server, through the exploiting of
+        vulnerable inclusion procedures implemented in the application.
+        This vulnerability occurs, for example, when a page receives, as input,
+        the path to the file that has to be included and this input is not properly
+        sanitized, allowing directory traversal characters (such as dot-dot-slash)
+        to be injected.
+        <br /> <br />
+        For practice these vulnerabilities enter to:
+        <i>http://[baseUrl]:9090/VulnerableApp/LocalFileInclusion/[level]</i>
+        Try to find the password file inside the secretFiles folder using the URL param: <i>file</i>
+        <br /> <br />
+        <a href="/VulnerableApp/LocalFileInclusion/LEVEL_1" target="_blank">click here to start in LEVEL 1</a>
+    </div>
+</div>