Second-Order LFI

Local File Inclusion (LFI) is typically easy to spot and exploit, unless a WAF needs to be bypassed. However, attackers may overlook more complex forms of LFI that require in-depth understanding of the underlying web application.

Code Review - Identifying the Vulnerability

Application Overview

Updated version with ability to:

Update username
Update filenames

File Storage Mechanism (db.php)

Files are stored locally on the filesystem, in a folder named after the owner:

function fetch_data($id){
    global $conn;
    
    $sql = "SELECT * FROM data WHERE id=?;";
    $stmt = mysqli_stmt_init($conn);
    if(!mysqli_stmt_prepare($stmt, $sql)){
        echo "SQL Error";
        exit();
    }
    // execute query
    $id = intval($id);
    mysqli_stmt_bind_param($stmt, "i", $id);
    mysqli_stmt_execute($stmt);
    $result = mysqli_stmt_get_result($stmt);
    $result = mysqli_fetch_assoc($result);
    $owner = $result['owner'];
    $name = $result['name'];
    $path = '/var/www/' . $owner . '/' . $name . '.txt';
    return array("name" => $name, "content" => file_get_contents($path));
}

Path construction: /var/www/<owner>/<filename>.txt

Analyzing edit_filename.php

$user_data = fetch_user_data($_SESSION['user']);
$data = fetch_data($_SESSION['file_id']);
if(isset($_POST['new_filename'])){
    $new_filename = $_POST['new_filename'];
    $user = $_SESSION['user'];
    $file_id = $_SESSION['file_id'];
    # reject hacking attempts
    $invalid = strpos($new_filename, '..') || strpos($new_filename, '/') || strpos($new_filename, '\\');
    if($invalid) {
        $_SESSION['msg'] = "Invalid characters in filename! You have been logged out for security reasons.";
        header("Location: index.php");
        exit;
    }
    
    update_filename($file_id, $user, $new_filename, $data['name']);
    header("Location: display_data.php");
    exit;
}

Filename is filtered! Rejects .., /, \ → Cannot escape user directory via filename.

Analyzing edit_username.php

$user_data = fetch_user_data($_SESSION['user']);
if(isset($_POST['new_username'])){
    $new_username = $_POST['new_username'];
    
    if(update_username($_SESSION['user'], $new_username)){
        $_SESSION['user'] = $new_username;
        header("Location: profile.php");
        exit;
    }
    $msg = "Error! Username is already taken!";
}

No filter on username! Can inject ../ sequences.

update_username Function (db.php)

function update_username($user, $new_username){
    global $conn;
    # check if user already exists
    if (fetch_user_data($new_username)){
        return false;
    }
    # update username
    $sql = "UPDATE users SET username=? WHERE username=?;";
    <SNIP>
    # update files
    $sql = "UPDATE data SET owner=? WHERE owner=?;";
    <SNIP>
    return true;
}

Critical Bug: Developers forgot to update file paths when username changes!

The Vulnerability

Bug Behavior

User htb-stdnt owns file test.txt at /var/www/htb-stdnt/test.txt
Rename file to HelloWorld.txt → moved to /var/www/htb-stdnt/HelloWorld.txt
Change username to test → file path NOT updated
Access HelloWorld.txt → app tries to read /var/www/test/HelloWorld.txt
File not found (wasn't moved)

Escalation to LFI

Since username is not filtered for special characters:

Change filename to match target file name
Change username to traverse directories
App reads from manipulated path → LFI!

Exploit Plan

Target: /tmp/poc.txt

┌─────────────────────────────────────────────────────────────────────────┐
│                        Second-Order LFI Attack                          │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  Step 1: Rename file to "poc"                                          │
│          └── File moved to /var/www/htb-stdnt/poc.txt                  │
│                                                                         │
│  Step 2: Change username to "../../tmp"                                │
│          └── File NOT moved (bug!)                                     │
│          └── DB updated: owner = "../../tmp"                           │
│                                                                         │
│  Step 3: Access file "poc"                                             │
│          └── Path: /var/www/../../tmp/poc.txt                          │
│          └── Resolves to: /tmp/poc.txt                                 │
│          └── TARGET FILE LEAKED!                                       │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Local Testing Setup

Create PoC File

echo 'The Exploit Works!' > /tmp/poc.txt

Database Setup (db.sql)

CREATE TABLE `data` (
  `id` int(11) NOT NULL,
  `owner` varchar(256) NOT NULL,
  `name` varchar(256) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

CREATE TABLE `users` (
  `id` int(11) NOT NULL,
  `username` varchar(256) NOT NULL,
  `description` varchar(256) NOT NULL,
  `password` longtext NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

# htb-stdnt:Academy_student!
INSERT INTO `users` (`id`, `username`, `description`, `password`) VALUES
(1, 'htb-stdnt', 'This is the user for HackTheBox Academy students.', '$2a$12$f4QYLeB2WH/H1GA/v3M0I.MkOqaDAkCj8vK4oHCvI3xxu7jNhjlJ.');

INSERT INTO `data` (`id`, `owner`, `name`) VALUES
(1, 'htb-stdnt', 'Lorem Ipsum');

Start MySQL Container

docker run -p 3306:3306 -e MYSQL_USER='db' -e MYSQL_PASSWORD='db-password' -e MYSQL_DATABASE='db' -e MYSQL_ROOT_PASSWORD='db' --mount type=bind,source="$(pwd)/db.sql",target=/docker-entrypoint-initdb.d/db.sql mysql

Start PHP Server

php -S 127.0.0.1:8000

Create Test File

sudo mkdir /var/www/htb-stdnt/
echo 'This is the file Lorem Ipsum!' | sudo tee /var/www/htb-stdnt/Lorem\ Ipsum.txt

Exploitation

Step 1: Rename File to Target Name

Go to /edit_filename.php and change filename to poc

Step 2: Change Username to Path Traversal

Go to /edit_username.php and set username to ../../tmp

Step 3: Access the File

Select the renamed file poc → Web app loads /var/www/../../tmp/poc.txt

Result: The Exploit Works!

Limitations

Only .txt files can be leaked (extension hardcoded)
Still a security issue in real-world complex applications
Requires close analysis of how components interact

Question Walkthrough

Task: Exploit second-order LFI to leak the file flag owned by user admin.

Step 1: Analyze Source

wget https://academy.hackthebox.com/storage/modules/231/src_LFI.zip
unzip src_LFI.zip

Key findings:

edit_username.php has no LFI filters
update_username doesn't update file paths

Credentials: htb-stdnt:Academy_student!

Step 3: Rename File

Change filename of any file (e.g., "Lorem Ipsum") to flag

Step 4: Change Username

Navigate to /edit_username.php and set username to ../www/admin

Step 5: Access Flag

View the "flag" file.

App fetches: /var/www/../www/admin/flag.txt → Admin's flag leaked!

PreviousSecond-Order IDOR (Blackbox)NextSecond-Order Command Injection

Last updated 14 days ago

hashtagCode Review - Identifying the Vulnerability

hashtagApplication Overview

hashtagFile Storage Mechanism (db.php)

hashtagAnalyzing edit_filename.php

hashtagAnalyzing edit_username.php

hashtagupdate_username Function (db.php)

hashtagThe Vulnerability

hashtagBug Behavior

hashtagEscalation to LFI

hashtagExploit Plan

hashtagLocal Testing Setup

hashtagCreate PoC File

hashtagDatabase Setup (db.sql)

hashtagStart MySQL Container

hashtagStart PHP Server

hashtagCreate Test File

hashtagExploitation

hashtagStep 1: Rename File to Target Name

hashtagStep 2: Change Username to Path Traversal

hashtagStep 3: Access the File

hashtagLimitations

hashtagQuestion Walkthrough

hashtagStep 1: Analyze Source

hashtagStep 2: Login

hashtagStep 3: Rename File

hashtagStep 4: Change Username

hashtagStep 5: Access Flag