I have been studying the lfi web vulnerability and I have seen that there are wrappers in php, which are mostly used to exploit said vulnerability. My question is the wrappers only exist in php?
Asked
Active
Viewed 98 times
-2
-
What do you mean by wrappers here? Could you give an example? – Barmar Jul 02 '21 at 22:28
-
there something about it: https://ruuand.github.io/Local_File_Include/ – conan2020 Jul 02 '21 at 22:41
-
Those are just exploits of bugs in some old PHP frameworks. There are frameworks for other languages, e.g. Flask for Python, Ruby-on-Rails. There may be exploits of those, bugs always exist. – Barmar Jul 02 '21 at 22:47
1 Answers
0
Wrappers in all languages. They are used to wrap libraries or functions with specific functionality that cannot be easily be replicated with code that is more specific to the language or runtime environment. In higher level languages the term "adapter pattern" may be used instead of "wrapper".
LFI seems specific to inclusion of additional code into a running program. That kind of vulnerability is mainly present in scripting environments. A quick scan shows that e.g. JavaScript / Node.js also suffers from LFI, which isn't surprising in the least.
Compiled applications can also be augmented in several ways, but generally that takes more than just inclusion of a file. That doesn't mean that it is impossible: I actually found an example in Axis2, a Java XML processing library relatively easy.
In e.g. compiled C code the attack surface is almost non-existent; it is vulnerable against a humongous number of attacks, but side-loading additional functionality is usually not one of them.
Maarten Bodewes
- 90,524
- 13
- 150
- 263