LOCAL/REMOTE FILE INCLUSION (DASAR KEMANAN SIBER)
๐ป Tutorial Praktikum: Memahami dan Mencegah Serangan LFI & RFI
๐ก️ Apa Itu LFI & RFI?
-
LFI (Local File Inclusion): Kerentanan yang memungkinkan penyerang untuk memuat file lokal di server melalui parameter URL.
-
RFI (Remote File Inclusion): Kerentanan yang memungkinkan penyerang memuat file dari sumber eksternal (misalnya internet) dan mengeksekusinya di server.
๐ฏ Tujuan Serangan LFI/RFI:
-
Membaca file konfigurasi server (misal:
httpd.conf,.env) -
Menjalankan skrip berbahaya
-
Mencuri data sensitif
-
Mengambil alih sistem (akses shell)
๐งช DEMO 1: SERANGAN LFI
1️⃣ Persiapan
-
Buka folder XAMPP:
-
Buat folder:
lfi -
Buka Visual Studio Code, lalu buka folder tersebut (
File > Open Folder > lfi).
2️⃣ Buat File index.php
<?php
// index.php
$page = isset($_GET['page']) ? $_GET['page'] : 'home.php';
include($page);
?>
3️⃣ Buat File home.php
<?php
echo "Welcome to the home page!";
?>
4️⃣ Jalankan LFI (Jangan Lupa Jalankan Apache)
-
Akses:
http://localhost/lfi/index.php -
Eksploitasi LFI dengan mengubah URL:
http://localhost/lfi/index.php?page=C:/xampp/htdocs/lfi/home.php -
Coba akses file sensitif:
http://localhost/lfi/index.php?page=C:/xampp/apache/conf/httpd.conf
๐ง PERBAIKAN: Mencegah LFI
✅ Update index.php menjadi aman
<?php
// Validasi input
$allowed_pages = ['home'];
$page = isset($_GET['page']) ? $_GET['page'] : 'home';
if (in_array($page, $allowed_pages)) {
include($page . '.php');
} else {
echo "Halaman tidak ditemukan!";
}
?>
✅ Hasil :
http://localhost/lfi/index.php
http://localhost/lfi/index.php?page=C:/xampp/htdocs/lfi/home.php
http://localhost/lfi/index.php?page=C:/xampp/apache/conf/httpd.conf๐งช DEMO 2: SERANGAN RFI
1️⃣ Buat Folder uploads di C:\xampp\htdocs\lfi/uploads
2️⃣ Buat File upload.php di lfi/
<?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { $target_dir = "uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "The file ". htmlspecialchars(basename($_FILES["fileToUpload"]["name"])). " has been uploaded."; } else { echo "Sorry, there was an error uploading your file."; } } ?> <!DOCTYPE html> <html> <body> <form action="upload.php" method="post" enctype="multipart/form-data"> Pilih file: <input type="file" name="fileToUpload" id="fileToUpload"> <input type="submit" value="Upload File" name="submit"> </form> </body> </html>
3️⃣ Buat File Berbahaya (Contoh: shell.php)
<?php
echo "Shell executed!";
?>
4️⃣ Upload dan Jalankan
-
Akses:
http://localhost/lfi/upload.php -
Upload
shell.php -
Jalankan:
http://localhost/lfi/uploads/shell.php
๐ PERBAIKAN: Mencegah RFI
-
Batasi jenis file yang diupload (gunakan whitelist seperti
.jpg,.png, dll). -
Hindari folder upload yang bisa diakses langsung.
-
Jangan pernah
includefile dari hasil upload atau input pengguna. -
Tambahkan pengecekan MIME type dan ekstensi.
if ($_SERVER['REQUEST_METHOD'] == 'POST') { $target_dir = "../uploads/"; $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]); // Validasi ekstensi file $allowed = ['txt', 'jpg', 'png']; // hanya file aman $file_ext = pathinfo($target_file, PATHINFO_EXTENSION); if (in_array($file_ext, $allowed)) { if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) { echo "File ". htmlspecialchars(basename($_FILES["fileToUpload"]["name"])). " berhasil diupload."; } else { echo "Gagal mengupload file."; } } else { echo "Jenis file tidak diperbolehkan."; } } <!DOCTYPE html> <html> <body> <form action="upload.php" method="post" enctype="multipart/form-data"> Pilih file: <input type="file" name="fileToUpload" id="fileToUpload"> <input type="submit" value="Upload File" name="submit"> </form> </body> </html>
Hasil :
⚠️ Dampak Serangan LFI & RFI
| LFI | RFI |
|---|---|
| Akses file konfigurasi server | Menjalankan file dari server eksternal |
| Bypass login (baca session) | Backdoor shell upload & eksekusi |
Membaca file passwd, .env | Pengambilalihan sistem server |
Komentar
Posting Komentar