I am trying to understand how to perform an LFI (specifically php LFI), and there is one aspect of this attack that seems to never be discussed in the online articles I read: The injected file permits.
In fact, suppose I can inject a file into the system. Most of the time, it will not be readable or executable by word (even the directory may not be passable). Therefore, even if I can cross a route through a? File = .. / .. / .. / .. / .. / shell.php, will not run.
What I am trying to say is that, in my opinion, if a system that runs php is properly configured and assigns the correct permissions to the files, there is no need to worry much about the file extensions, the contents of the files … So, instead of adding multiple checks on the injected file as suggested in multiple online resources, should not the developer focus on the system configuration (allow_url_include = 0, file permissions, …)? For me, it's comparable to SQL injections. I would prefer to use simple user input and verification statements to vulnerable queries and complex user input verification with huge whitelists.
I'm missing something?