WackoPicko/File-Inclusion

From aldeid
Jump to: navigation, search
You are here:
File Inclusion

Description

File Inclusion attacks are of two types:

  • Local File Inclusion (LFI). It consists of exploiting a directory-traversal vulnerability to include files that were not intended by the application. A common target is the famous /etc/passwd file.
  • Remote File Inclusion (RFI). Same as LFI but by injecting a remote file (e.g. C99shell).

Proof of Concept

Wackopicko-file-inclusion.png

Ssh-img013.png
Warning
Notice that NULL Byte has been disabled from PHP 5.3.4

Php-null-byte.png

How to detect?

How to protect against it?

  • Upgrade to the latest version of PHP
  • Never trust user inputs. Always challenge the strings against whitelists and purify/sanitze content.

Comments

Talk:WackoPicko/File-Inclusion