I'm trying to understand how to perform a LFI (specifically PHP LFI), and there is a aspect of this attack that seems to be never discussed in online articles I read: The injected file permissions.
Indeed, let's assume I can inject a file in the system. Most of the time, it is not gonna be word readable or executable (even the directory might not be traversable). Therefore, even if I can traverse a path though a ?file=../../../../../shell.php
, it won't get executed.
What I'm trying to say is that, according to me, if a system running PHP is well configured and assign the right permissions to files, there is no need to worry that much about files extensions, files content ... So instead of adding multiple checks on the file injected as suggested on multiple online resources, shouldn't the dev focus on the system configuration (allow_url_include=0, file permissions,...) ? For me, it is comparable to SQL injections. You would rather use prepare statements and simple user input checking than vulnerable queries and complex user input checking with huge whitelists/blacklists.
Am I missing something ?