Introduction: What is the LFI Fault
Article for web developers and site administrators.
The LFI flaw is named Local File Inclusion . It allows a user to include local files (thus belonging to the external server) from a URL.
These files may very well be outside the root directory of the website. Sensitive files such as those containing personal data and especially passwords can be included and retrieved.
We often need to include a file in a page in a completely legitimate way as in the following example:
http://exemple.com/vulnerable.php?page=menu.php
Only the fact of checking if this file exists is not enough , it is necessary to make sure that it is the one that one wants.
Note that this flaw also allows you to execute PHP code on the remote server.
What can be done with an LFI fault?
Usually this flaw can help retrieve information like the names of your server users and their password:
http://www.exemple.com/pagevulnerable.php?page=../../../../../../../../../../../etc / passwd
You can also retrieve the source code of a php page or execute PHP commands remotely by posting them to a specific url.
In the worst case, a php shell can be installed on your server to allow a user to execute remote commands .
How do I know if my site is fallible?
If your site uses a URL as we have seen above, it is possible that it is fallible.
Here is a typical example of a fallible php script :
<? Php
$ file = $ _GET ['file'];
if (isset ($ file))
{
include ( "pages / $ file"); // include the file if it exists
}
else
{
include ( "index.php");
}
?>
For example, see if a user can access the files on your site:
http://www.exemple.com/vulnerable.php?page=../../../../../../../../fichier
How to protect yourself
So we will change our previous script to eliminate the possibility of using "../" and force the extension ".php":
<? Php
$ file = str_replace ('../', '', $ _GET ['file']); // eliminate ../
if (isset ($ file))
{// the file will have to be included by its name without .php
include ("$ file". ".php"); // add here the .php
}
else
{
include ( "index.php");
}
?>
Be aware however that it is possible to use hexadecimal encoding instead of slashes because the browser converts them correctly:
http://www.exemple.com/vulnerable.php?page=..%2F..%2F
..%2F
..%2F
..%2Ffichier
And it is also possible to use the NULL Byte to stop the string before the extension and thus bypass this restriction.
On new versions of apache this kind of exploitation is no longer possible because% 2F and% 00 are not managed by security . That said you can still add this line to avoid any flaw:
$ file = str_replace (chr (0), '', $ file); // chr (0) being the null byte
Another simple and radical technique is to include the name directly in the code without going through the URL but testing a name instead:
<? php if ($ _GET ['page'] == "news") {
include ( "news.php");
} else {
include ("home.php");
}?>
No comments:
Post a Comment