Beginner Guide to File Inclusion Attack (LFI/RFI)

You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change included file.

Assume we have a standard footer file called “footer.php“, that looks like this

<?php

echo “<p>Copyright &copy; 2010-” . date(“Y”) . ” hackingartices.in</p>”;

?>

 To include the footer file in a page, use the include statement

<html>

<body>

<h1>Welcome to Hacking Articles</h1>

<p>Some text.</p>

<p>Some more text.</p>

<?php include ‘footer.php’;?>

</body>

</html>

 Example 2

Assume we have a file called “vars.php“, with some variables defined:

<?php

$color=’red’;

$car=’BMW’;

?>

 

<html>

<body>

 <h1>Welcome to my home page!</h1>

<?php include ‘vars.php’;

echo “I have a $color $car.”;

?>

 </body>

</html>

 

 Output: I have red BMW

PHP Require Function

The require statement is also used to include a file into the PHP code.

However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:

Example 3

 <html>
<body>
<h1>Welcome to my home page!</h1>
<?php include ‘noFileExists.php’;
echo “I have a $color $car.”;
?>
</body>
</html>

 Output: I have a

If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

 <html>
<body>

<h1>Welcome to my home page!</h1>
<?php require ‘noFileExists.php’;
echo “I have a $color $car.”;
?>
</body>
</html>

No output result

PHP Required_once Function

 Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.

Example 4

echo.php
<?php
echo “Hello”;
?>

test.php
<?php
require(‘echo.php’);
require_once(‘echo.php’);
?>

outputs: “Hello”

 Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

 /etc/php7/apache2/php.ini

allow_url_include = On

File Inclusion Attacks

 It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client to submit input into files or upload files to the server.

This can lead following attacks:

  • Code execution on the web server
  • Cross Site Scripting Attacks (XSS)
  • Denial of service (DOS)
  • Data Manipulation Attacks

Two Types:

Local File Inclusion

Remote File Inclusion

Local File Inclusion (LFI)

 Local file inclusion vulnerability occur when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”

This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included  and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=/etc/passwd

Read complete local file inclusion attack tutorial from here

Remote File Inclusion (RFI)

Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once” , “require” , or “require_once” . PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows and attacker to embed his/her own PHP code inside  a vulnerable  PHP script , which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php

http:// 192.168.1.8/dvwa/vulnerabilities/fi/?page=http://google.com

Read complete remote file inclusion attack tutorial from here

Mitigation

  • Strong Input Validation
  • A whitelist of acceptable inputs
  • Reject any inputs that does not strictly conform to specifications
  • For filenames, use stringent whitelists that limits the character set to be used
  • Exclude directory separators such as “/”
  • Use a whitelist of allowable file extensions
  • Environment hardening
  • Develop and run your code in the most recent versions of PHP available
  • Configure your PHP applications so that it does not use register_globals
  • Set allow_url_fopen to false, which limits the ability to include files from remote locations
  • Run your code using the lowest privileges
  • Use a vetted library or framework that does not allow this weakness.

Source: https://www.w3schools.com/ 

               https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

               https://www.acunetix.com

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Database Penetration Testing using Sqlmap (Part 1)

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Features

  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’sMeterpreter getsystem command.

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables.

Sometimes you visit such websites that let you to select product item through their picture gallery if you observer its URL you will notice that product item is call through its product-ID numbers.

Let’s take an example

http://testphp.vulnweb.com/artists.php?artist=1

 So when attacker visits such kind of website he always checks for SQL vulnerability inside web server for lunching SQL attack.

Let’s check how attacker verifies SQL vulnerability.

Attacker will try to break the query in order to order to get error message, if he successfully received error message then it confirms that web server is SQL injection affected.

http://testphp.vulnweb.com/artists.php?artist=1’

 From screenshot you can see we have received error message successfully now we have make SQL attack on web server so that we can fetch database information.

Databases

 For database penetration testing we always choose SQLMAP, this tool is very helpful for beginners who are unable to retrieve database information manually or unaware from SQL injection techniques.

Open the terminal in your Kali Linux and type following command which start SQL injection attack on the targeted website.  

Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –dbs –batch

 -u:  target URL

–dbs: fetch database name

–batch: This will leave sqlmap to go with default behavior whenever user’s input would be required

Here from given screenshot you can see we have successfully retrieve database name “acuart

Tables

As we know a database is a set of record which consist of multiple table inside it therefore now use another command in order to fetch entire table names from inside the database system.

 Sqlmap –u “http://testphp.vulnweb.com/artists.php?artist=1” –D acuart –table –batch

 -D: DBMS database to enumerate (fetched database name)

–tables: enumerate DBMS database table

As a result given in screenshot we have enumerated entire table name of database system. There are 8 tables inside database “acuart” as following:

T1: artists

T2: carts

T3: categ

T4: featured

T5: guestbook

T6: pictures

T7: products

T8: users

Columns

Now further we will try to enumerate column name of desired table. Since we know there is a users table inside the database acuart and we want to know the all column names of users table therefore we will generate another command for column captions enumeration.

sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart -T users –columns –batch

-T: DBMS table to enumerate (fetched table name)

–columns: enumerate DBMS database columns

Get data from a table

Slowly and gradually we have penetrated much details of database but last and most important step is to retrieve information from inside the columns of a table. Hence at last we will generate a command which will dump information of users table.

 sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart -T users –dump –batch

–dump: dump all information of DBMS database

Here from given screenshot you can see it has dump entire information of table users, mainly users table contains login credential of other users. You can use these credential for login into server on behalf other users.

Dump All

Last command is the most powerful command in sqlmap which will save your time in database penetration testing; this command will perform all the above functions at once and dump entire database information including table names, column and etc.

sqlmap -u “http://testphp.vulnweb.com/artists.php?artist=1” -D acuart –dump-all –batch

This will give you all information at once which contains database name as well as table’s records.

Try it yourself!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

CSRF Exploitation using XSS

Hello friends! In our previous article we saw how an attacker can shoot web application against CSRF vulnerability with help of burp suite. Today again we are going to test CSRF attack with help of XSS vulnerability.AS we know taking the help of XSS attacker might be able to reads cookies from the same domain and if CSRF token are stored in cookies then attacker will able to read the CSRF token from CSRF protected post.

Let’s have a look how an attacker can make CSRF attack for changing password of admin account when the web application is suffering from cross site scripting vulnerability. For this tutorial I had used DVWA and set its security level low.

Suppose that you have found XSS vulnerability in any web application server. Here we are going to use java script or HTML script which will make CSRF attack for changing the password of admin account.

An XSS attack can be used to read the cookies and get the valid tokens if it is stored in cookies which have to be inserted in the malicious script to make CSRF possible. Using image tag we will send a malicious script, inside script I had set new password as 123456.

<img src=”/dvwa/vulnerabilities/csrf/?password_new=123456&password_conf=123456&Change=Change”>

Now let’s check whether the password for admin has been changed or not, previously credential was admin: password, if admin get failed to login inside web server using his previous credential then we had successfully made CSRF attack.

From given screenshot you can see using admin: password it confirms login failed. Now use your new password 123456 for login inside web server.

Similarly there is another web application bwapp where we will demonstrate same attack using XSS vulnerability. First you need to chose your bug “cross site scripting Reflected (post)” and set security level low.

In given screenshot the form is suffering from XSS vulnerability now we are going to generate a script for making CSRF possible in order to change password for a user. Here we are login as bee: bug into web server now we will try to change its password with help of cross site scripting.

Similarly using image tag we will send a malicious script, inside script I had set new password as hack.

<img src=”/bwapp/csrf_1.php?password_new=hack&password_conf=hack&action=change”>

From screenshot you can see generated image icon which means this form has XSS flaws now let check whether the password has been modified or not for user bee.

Now use previous credential bee: bug if login failed is confirmed it means we have successfully shoot the CSRF attack and from screenshot you can see “invalid credential or user not activated” message.  Now use new password for login into web server.

Conclusion: XSS vulnerabilities exist anywhere in same domain it could lead to CSRF attack and allows attackers to remotely control the target’s browser with full rights, making CSRF useless.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Understanding the CSRF Vulnerability (A Beginner Guide)

Today we will see CSRF attack in different scenario like transferring fund and password changing but before we see how cross site request forgery works we need to understand of few concepts.

Tabbed browsing: Tabbed browsing is an attribute of the Web browsers which allow the users to view multiple web sites on a single window instead of opening new browser window. These extra web pages are represented by tabs at the top of the browser window.

Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example read private messages, send fake message, read your chats.

SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server. 

  • Update a web page without reloading the page
  • Request data from a server – after the page has loaded
  • Receive data from a server  – after the page has loaded
  • Send data to a server – in the background

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.

If the victim is an ordinary user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the targeted end user is the administrator account, this can compromise the entire web application.

In this article we will test a web application against csrf vulnerability with the help of burp suit Poc.

Source https://www.w3schools.com/xml/xml_http.asp

https://en.wikipedia.org/wiki/Same-origin_policy

Let’s start!!

 For this tutorial I had used bWAPP the vulnerable web application and create a new user raaz with password 123 for login inside the web server.

Now set the security level low then from list of given vulnerability choose your bug cross site request forgery (change secret) and click on hack.

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.

Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.

Start the burp suite to capture the sent request between the browser and web application.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

CSRF PoC generator will automatically generates an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.

Once you have paste the html code now add your (attacker) secret value “1234” moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.

Here you observe the result form given below screenshot. Hence in this way CSRF attack change the old secret value for password set by user “raaz”.

In next scenario we are going to test CSRF attack while transfer amount from users account. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of transaction and other example is related  bank amount transfer from one user’s account to another user’s account.

In order to learn csrf attack in this situation again login in bWAPP then choose your next vulnerability cross site request forgery (transfer Amount) and click on hack.

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction  is not possible for both (user as well as for attacker). Further it is showing user’s account number to transfer and amount to be transfer.

The procedure for csrf attack is similar as above use burp suite to capture the sent request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generate html code for form.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker) amount “100” to be transfer, now save the text document as csrf2.html and then use social engineering technique for sharing csrf2.html file to the targeted user.

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transfer without his (victim) knowledge.

From given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw effect of CSRF attack while amount transaction from once account to another.

At last we are going to learn the most impactful CRSF attack for changing the password of user account without his knowledge. Again we will login into bwapp and choose the bug “cross site request forgery (change password)” to test the csrf vulnerability.

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which save attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.

If you remember the old password was “123” for user “raaz” and from screenshot you can perceive that now new password is raj.

When victim will open Csrf3.html file, here he will found a submit button now as he will click on submit button the password will reset for his account without his (victim) knowledge.

Hence you can verified it through given below image where it has clearly gave the message that “password has been changed”

So today you have seen how we had made csrf attack on web application server in different scenario with help of burp suite Poc.

Try it yourself!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...