Mar 7, 2011

Local File Inclusion ( L F I )


In this article i will explain you the web exploitation technique "Local File Inclusion"....

What make a website Vulnerable to LFI ?

A piece of PHP code makes a website vulnerable to LFI..Lets look at this code

$page = $_GET[page];
include($page);
?>


This code must not be used anywhere in a php script.Because the $page isn’t sanitized and is passed directly to the webpage, but unfortunately This code can be get many times in many popular websites.


Now we know why and how the webpage gets vulnerable.So lets talk for The rest Using the vulnerability for our advantage.

Let us now how this code gives us the ability to browse Thru the WEB SERVER

Now You all imagine that There is a file named saurav.php in the root directory of a website..
If you type 
http://victim.com/root/saurav.php 
You can get the access to that file Right ?

But if the piece of the php code is inside the Index.php then we can run the code using 
http://victim.com/index.php?page=root/saurav.php 

If the index.php was in victim.com/root/index.php and the saurav.php in http://victim.com/saurav.php you will have to type http://victim.com/test/index.php?page=../saurav.php . The ../ is called directory
transversal  that will allow you to go up in the directories.


Now i think you understood this one..lets move on 

Now we can have access to the Directories\files that the server doesn't allow.If it is hosted in a UNIX server then we can have access to the password files of the server..we will have to add ../ to cycle thru the directories..
Example

http://site.com/index.php?page=../../etc/passwd
http://site.com/index.php?page=../../../../../../etc/passwd


This depends on in which directory the the file passwd is present...


If you don't know what to do with the etc/passwd then read the full article...

The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:

username: passwd:UID:GID:full_name:directory:shell

For example:
username:SaurRavhAckingclass:503:100:FullName:/home/user name:/bin/sh

All you need to do then is get the username and decode the password. If the passwd file is shadowed then you’ll see something like this:

username:x:503:100:FullName:/home/username:/bin/sh

Now you can see the password is "x" and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many process, thats why you have access to it.

Here are some places that you can play with 
/etc/passwd
/etc/shadow
/etc/security/user
/etc/security/group
/etc/security/passwd
/etc/security/limits
/etc/security/environ
/etc/group
THis site will help you more on this etc/passwd

click here

There is another piece of code that may result in making a site vulnerable to LFI

$page = $_GET["page"];
include(“$page.php”);
?>
 

In this case as you can see it will add .php to anything you include..So if you type
http://victim.com/index.php?page=../../../../etc/passwd

and it will show some error like the file does not exists you will have to apply a null byte ()

http://victim.com/index.php?page=../../../../etc/passwd

This null byte will ignore the everything after
There are many other ways to exploit a website using LFI...We can use perl scripts and many other things are there... i will discuss them someday other...

This article is going to be little difficult for a beginner..Read this thoroughly and search google for this

Happy Hacking 


Credits - planet creator

1 comments:

This is a nice article..
Its very easy to understand ..
And this article is using to learn something about it..
php tutorial
Thanks a lot..!

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More