WackoPicko/File-Inclusion

From Aldeid

Jump to: navigation, search

You are here:

Vulnerabilities

File Inclusion

Contents

1 Description
2 Proof of Concept
3 How to detect?
4 How to protect against it?
5 Comments

Description

File Inclusion attacks are of two types:

Local File Inclusion (LFI). It consists of exploiting a directory-traversal vulnerability to include files that were not intended by the application. A common target is the famous /etc/passwd file.
Remote File Inclusion (RFI). Same as LFI but by injecting a remote file (e.g. C99shell).

Proof of Concept

Warning

Notice that NULL Byte has been disabled from PHP 5.3.4

How to detect?

How to protect against it?

Upgrade to the latest version of PHP
Never trust user inputs. Always challenge the strings against whitelists and purify/sanitze content.

Comments

Share this article • Tweet it! • Email this • Digg it • Share on Facebook

Talk:WackoPicko/File-Inclusion

Retrieved from "http://www.aldeid.com/w/index.php?title=WackoPicko/File-Inclusion&oldid=17831"

Personal tools

Log in

Security

Misc

Toolbox