Thursday, April 12, 2007
LOCAL FILE INCLUSION
LOCAL FILE INCLUSION
Local file inclusion is when you view 1 of the remote systems local files through one of their web based scripts normally, e.g. victimsite.com/vulnerablescript.php?script=../../../../../../../etc/passwd? which if on a unix/Linux system will bring up the passwd file.
Its normally found in webapplications who's input isn't sanitised properly.http://www.victim.com/vulnerablescript.php=2
Now this is like a GET parameter request for 2 on the above URL. Lfi works with the following
- Nullbytes: %00
- Directory transversal: /../
Lets assume the vulnerable script looks as this;
$file=$_GET["file"]; //Get parameter
include(".vuln/$vulnerable.php") //include Get parameter with folder prefix
As we all know, the GET parameter is passed to the include fuction, which then loads the file, linking up to the full path; /home/www/anotherfile/application/vulnerablescript.php
Even, as far as PHP is concerned, it has a way of allowing upload of files to the box template folder, which will turn from LFI to RFI. RFI is a short name of Remote File Inclusion. This will happen if allow_url_fopen is enabled, which due to these vulnerabilities, it will be disabled in PHP 6. You can read more about uploading in php here, http//au.php.net/manual/en/features.file-upload
So to check if our exploit works we load up the vulnerable script up the url, and feed in a LFI, check this out.....
......and if it reloads, the site is vulnerable to LFI
What will happen in the background is something like this
Now this is a simple directory transversal
Nullbytes come into play if .php is closed up to the file and helps to ignore everything except %00, so if u do vulnerablescript.php%00, everything after .php is ignored.
Remember most of our sites have so many security holes u would be amazed, especially if the box is in the same LAN the company or the institution is. Another way of acting gone in 60 seconds huh!
The screenshot below shows an LFI.
Will be writing more soon on websecurity.