Thread subject: Security Override :: Local File Inclusion

Posted by buglu on 02/06/2014 08:04:04
#1

Hey,

Since I liked local file inclusion so much, I have spend my last week on gathering information and trying to find some exploits my self. But then I came to the conclusion that I actually didnt really understand how it actually worked... I also have a good understanding of PHP.
Because this community has some great hackers, I hope someone could help me with a good Tutorial that will explain the exact process of uploading and executing to me.

The things that I do understand about local file inclusion are the following:

- It is used to execute a code (like PHP) on a website, that can be executed by a function like include();
- When a '.php' extension is added to the url, you can avoid it by using the nullbyte trick.
- Images are used to avoid filters like, extension filters and filters that will check if the file contains the right image header.

I think most of the better hackers will laugh at me, for knowing just a little as this :P

But I think it's good enough for a start.

The things I would like to learn is:
- How does the image exactly execute the PHP code? I have read the tutorial on imperva (Posted by Teddy), wich explained the working of LFI quite well to me.

I also tested LFI on my own server, it worked when I used include $_GET['page'];, but it failed when I added '.php' at the end of the include and used a NULLbyte (%00) in my page URL. The page echoed this error:

URL :
Edit: Yes remote.jpg is in the same folder as index.php.
Code
http://localhost/hack/index.php?pagina=remote.jpg%00




Error:

Code
Warning: include(): Failed opening 'remote.jpg' for inclusion (include_path='.;C:\xampp\php\PEAR') in C:\xampp\htdocs\hack\index.php on line 3




As you can see the nullbyte terminated the string so .php wasnt added.

But I just dont know why the page wont display remote.jpg?

I hope someone could help me, so I will have a good understanding of the LFI exploitation :)


- For the people that will say: There is already a tutorial.

Yes I know and i have read it, but it doesnt explain enough to me, to have a full understanding of the exact working of it.

And yes I have read many pages on google, but they all give me almost the exact same information..

Thanks in advance,

Buglu

Edited by buglu on 02/06/2014 08:05:49

Posted by Teddy on 02/06/2014 09:04:42
#2

Maybe an explanation or not

The null byte string vulnerability was fixed as of 5.3.4.
http://stackoverflow.com/questions/13766453/null-byte-injection-not-happening

Posted by buglu on 02/06/2014 13:49:46
#3

The null byte string vulnerability was fixed as of 5.3.4.


Okay, so a phpinfo will be a Must..
Then I still have a question on how php reads the image, so it executes the php in it. Cuz in the tutorial on impeva, the guy splitted the code up over 2 lines, and it still worked. Now I tried exact the same, and I get errors like illegal offset in string... Is it just my code

Code
<?php echo 'exploit'; ?>




(then it's just me) or does the image filters or handles some characters different?

Edited by buglu on 02/06/2014 13:51:20

Posted by Teddy on 02/06/2014 14:00:22
#4

In theory the include() function call will justs search inside the file for the php opening and will start to interpret it then. So the line splitting should work.

However if you uploaded the file over a PHP function it could be that it filteres out some characters. But to be honest I don't know!

Posted by buglu on 02/07/2014 03:11:41
#5

Thank you Teddy!

Do you or someone else know if there are any other options as the nullbyte termination?

As I said, the only function I have read about was the nullbyte... But as far as I have learned about hacking, there is always a work around ;)

Edited by buglu on 02/07/2014 03:13:09

Posted by Teddy on 02/07/2014 04:04:53
#6

I posted another method on this forum before.

On most PHP installations, if the filename is longer than 4096 bytes, it will be silently truncated and everything after the first 4096 bytes will be discarded. No error is triggered: the excess characters are simply thrown away and PHP happily continues on.


http://security.stackexchange.com/questions/17407/how-can-i-use-this-path-bypass-exploit-local-file-inclusion


Next time pls use google uself

Posted by Teddy on 02/07/2014 04:07:15
#7

Just to avoid confusion. I meant I posted on SecurityOverride about that method before...

Posted by buglu on 02/07/2014 05:40:41
#8

Next time pls use google uself


I have searched this whole forum for any threads on local file inclusion (through the search option). And none of them explained a method that didnt use the nullbyte.

And no I didnt find your thread about that. method

Edited by buglu on 02/07/2014 05:43:25

Posted by buglu on 02/07/2014 07:14:48
#9

buglu wrote:
Next time pls use google uself


I have searched this whole forum for any threads on local file inclusion (through the search option). And none of them explained a method that didnt use the nullbyte.

And no I didnt find your thread about that. method


edit: Hey teddy i have read your article, I remembered it from reading it a while ago, didnt quite understand the working of it, but thanks for reminding me of that method, will have a look on it ;)