Difference between revisions of "File Inclusion/Local File Inclusion/Local File Disclosure"
Chantal21I (Talk | contribs) (Created page with "Using this knowledge, the attacker can then specify a file on the remote host that the PHP server has permission to read and that file will be displayed in the web page. ...") |
(No difference)
|
Latest revision as of 06:50, 19 July 2012
Using this knowledge, the attacker can then specify a file on the remote host that the PHP server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:
/local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat
Similarly, on a linux server:
/local.php?file=../../../../../../../../../../../../../etc/passwd
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing .php?file=, the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for cross-site scripting attacks.
A null Byte can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null Byte (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension. |
If the remote host is a UNIX or Linux based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:
/local.php?file=../../../../../../../../../../../../../etc/passwd
Or using null-bytes:
/local.php?file=../../../../../../../../../../../../../etc/passwd%00
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any php inside of it.