Table of Contents
• Tool Output
• Do We Stop Here?
• Custom Scripts
• Online Research
• Testing Exploitation
• PHP LFI
• Code Execution, Yes Please!
• This session will cover the mindset I follow
when approaching a web application
• I am going to show where many might stop,
and what happens when you push further
• These types of techniques can be applied to
any web application
• Pre-Engagement Activities
– Hammer out all the details to conduct the test (Schedule,
Scoping, Rules of Engagement, Formal Permission, etc.)
• Information Gathering and Reconnaissance
– Depends on type of test and information you are given
(Organization name, CIDR, list of URLs, source code, etc.)
• Automated Testing
• Manual Testing and Validation
• Remediation Support
Mindset is Key
• Think like an attacker and see things through a
– Upload an avatar? Hmmm add code?
– Download a report? Hmm directory traversal for
– Without it you’ll very easily hit a wall and stop
– I tell myself a vulnerability is here I just need to find it
• Web Application testing requires custom
scripting….really no way getting around it:
Custom Scripts Cont.
• Making web requests with a scripting language
isn’t too difficult
• Check out tutorials online and try to automate
• Making a tool for CVE-2012-1823 is a good use
case because you need to make a POST request
and modify several header values
– If you can write a tool for this CVE, it demonstrates
concepts that can be applied to many different CVEs
• Cool, so we can LFI, do we stop now?
PHP LFI…Now What?
• What can be done with a PHP LFI?
• It depends on what function is leading to the LFI
vulnerability (include(), readfile(), etc.)
• PHP functions like include() will execute PHP code in
the included file
– Yay code execution through php snippets!
• PHP functions like readfile() will only display output
– We have more work to do
• Tools may not give you the answer
• Very easy to hit a hurdle and quit
• You need to be curious/creative and
constantly push to get more information
• Confidence and mindset goes a long way