I'm trying to figure out how to perform an LFI (especially php LFI), and there's one aspect of this attack that seems to never be discussed in the online articles I've read: The File Injected authorizations.
Indeed, suppose I can inject a file into the system. Most of the time, it will not be readable or executable (even the directory may not be traversable). Therefore, even though I can cross a path via a file? File = .. / .. / .. / .. / .. / shell.php, it will not be executed.
What I'm trying to say is that, in my opinion, if a system running php is properly configured and assigns the appropriate permissions to the files, there is no longer a need for it. worry about file extensions, file content … adding multiple controls on the injected file as suggested on multiple online resources, should not the developer focus on system configuration (allow_url_include = 0, permissions on the files, …)? For me, it's comparable to SQL injections. You would prefer to use preparation instructions and simple checking of user input rather than vulnerable queries and complex checking of entries with large white / black lists.
Am I missing something?