what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Thursday, April 12, 2007

LOCAL FILE INCLUSION


LOCAL FILE INCLUSION

Local file inclusion is when you view 1 of the remote systems local files through one of their web based scripts normally, e.g. victimsite.com/vulnerablescript.php?script=../../../../../../../etc/passwd? which if on a unix/Linux system will bring up the passwd file.

Its normally found in webapplications who's input isn't sanitised properly.http://www.victim.com/vulnerablescript.php=2

Now this is like a GET parameter request for 2 on the above URL. Lfi works with the following


- Nullbytes: %00
- Directory transversal: /../

Lets assume the vulnerable script looks as this;

$file=$_GET["file"]; //Get parameter
include(".vuln/$vulnerable.php") //include Get parameter with folder prefix
?>



As we all know, the GET parameter is passed to the include fuction, which then loads the file, linking up to the full path; /home/www/anotherfile/application/vulnerablescript.php

Even, as far as PHP is concerned, it has a way of allowing upload of files to the box template folder, which will turn from LFI to RFI. RFI is a short name of Remote File Inclusion. This will happen if allow_url_fopen is enabled, which due to these vulnerabilities, it will be disabled in PHP 6. You can read more about uploading in php here, http//au.php.net/manual/en/features.file-upload

So to check if our exploit works we load up the vulnerable script up the url, and feed in a LFI, check this out.....

www.victimsite.com/vulnerablescript.php=../vulnerablescript.php

......and if it reloads, the site is vulnerable to LFI

What will happen in the background is something like this

/home/www/anotherfile/application/vuln/../vulnerablescript.php

Now this is a simple directory transversal

Nullbytes come into play if .php is closed up to the file and helps to ignore everything except %00, so if u do vulnerablescript.php%00, everything after .php is ignored.

Remember most of our sites have so many security holes u would be amazed, especially if the box is in the same LAN the company or the institution is. Another way of acting gone in 60 seconds huh!

The screenshot below shows an LFI.


Will be writing more soon on websecurity.

/Chuks

2 comments:

BRIGHT said...

Wsup Chuks,I've been wondering what exactly an SQL injection is and wat r the prerequisites.
I will sending new posts soon after ma exams on the 9th of this month.laters

Chuks said...

Hi Bright.

We are going to have a conference at the end of this month covering the above and alot about web application security.

The Timetable will be posted at the Forums.

You will learn alot from there.

/Chuks