For example, as seen above, a path such as.. Tip: Download the Node. Local file inclusion vulnerabilities can impact your web application in various ways. For example, here are three possible abusive outcomes of local file inclusions:. First of all, a local file inclusion vulnerability can lead to information disclosure.
For example, you might expose a certain text file that contains information about the application. However, when attackers gain important information about your application and its configuration, it helps them find other vulnerabilities and they gain a deeper understanding of your web application. Second, a local file inclusion vulnerability opens up the possibility of a directory traversal attack. Here, attackers try to access files on the server, other than the files of the web application, that provide them with important information.
Once they have this, attackers can access any other system file on your server. Furthermore, the attackers can gain administrator access to your server! Lastly, a local file inclusion vulnerability combined with a file upload vulnerability can even lead to a remote code execution attack. If attackers manage to upload an unwanted file to your server, they can abuse the local file inclusion vulnerability to execute that file. Worst case scenario, the local file inclusion vulnerability lets the attacker upload a file to the server that gives them the ability to execute arbitrary commands remotely.
This gives the attacker the opportunity to control the server remotely. Next, we describe different strategies to prevent local file inclusion attacks. The first and foremost lines of defense are sanitizing and validating user input. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.
LFI vulnerabilities allow an attacker to read and sometimes execute files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information. If the attacker is able to place code on the web server through other means, then they may be able to execute arbitrary commands. RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker is able to execute code hosted on their own machine.
Connect to metasploitable from your browser and click on the DVWA link. On the file inclusion page, click on the view source button on the bottom right. If your security setting is successfully set to low, you should see the following source code:.
To perform this test we can compare the response from the server when injecting. Here we can see that the response appears unchanged after inserting the.
However, when we use the.. Now, working on the assumption that the parameter you are targeting is being appended to a preset directory specified by the application, you can modify the parameter's value to insert an arbitrary subdirectory and single traversal sequence. If you find any instances where the application may be vulnerable, the next test is to attempt to traverse out of the starting directory and access files from elsewhere on the server filesystem.
The manner in which you access files is dependent on the server and web framework you are testing. In this example we are using an ASP. NET web framework. We know that web. NET web application. There are only a few scenarios where it is actually needed in PHP code. Sometimes, developers enabled it on purpose, and sometimes it is enabled by default on older versions of the server-side programming language.
Usually developers enable such functionality to include local files, but without proper input validation, it is also possible to fetch data from a remote server. Therefore, in most cases when such functionality is enabled, the web application becomes vulnerable to both remote file inclusion and local file inclusion LFI. Consider a developer who wants to include a local file corresponding to the page specified using the GET parameter. They have different PHP files, such as contact.
Each file can be called using the following request that is sent to the index. While the developer expects that only files inside that folder will be included, it might be possible for an attacker to include files from another directory LFI or even from a completely different web server RFI , especially if there is no whitelist of files.
In fact, without a whitelist of permitted files, the attacker can change the filepath to the include function or equivalent in another language. The attacker can include a local file, but in a typical attack, they change the path to a file that resides on a server they control. This allows attackers to write malicious code inside a file without having to poison logs or otherwise inject code into the web server which would be required for local file inclusion.
The impact will differ depending on the type of the remote file inclusion attack and the execution permissions of the web server user.
0コメント