I’m trying to understand how to perform a LFI (specifically PHP LFI), and there is a aspect of this attack that seems to be never discussed in online articles I read: The injected file permissions.
Indeed, let’s assume I can inject a file in the system. Most of the time, it is not gonna be word readable or executable (even the directory might not be traversable). Therefore, even if I can traverse a path though a
?file=../../../../../shell.php, it won’t get executed.
What I’m trying to say is that, according to me, if a system running PHP is well configured and assign the right permissions to files, there is no need to worry that much about files extensions, files content … So instead of adding multiple checks on the file injected as suggested on multiple online resources, shouldn’t the dev focus on the system configuration (allow_url_include=0, file permissions,…) ? For me, it is comparable to SQL injections. You would rather use prepare statements and simple user input checking than vulnerable queries and complex user input checking with huge whitelists/blacklists.
Am I missing something ?