How to prevent LFI and RFI attacks
“PHP is used by 82.5% of the websites…”
Taught by: Peter Zsiros
Length: 1.5 hours
Local and Remote File Inclusion (LFI/RFI) attacks are popular amongst hackers. It mostly affects web applications written in PHP, so a great majority of websites could be exposed to it.
In this minicourse we will examine how this technique works and how to avoid running someone else's malicious code on your server. We will cover the mitigation techniques against this type of attack, and the different backdoor "upload" possibilities as upload forms, through databases, log poisoning, session files and the PUT method.
Other hacking courses from the same trainer, Peter Zsiros.
It can be very useful for web developers so that they can make more secure websites, and for ethical hackers so that they can make thorough penetration tests. It can also be useful for system administrators and testers.
Basic programming knowledge, basic knowledge of HTTP protocol.
Minimum 4GB memory
You will be able to identify and exploit these kinds of vulnerabilities, and learn how to avoid them by learning the configuration possibilities to reduce attack risk.
Section 1 - Introduction to LFI/RFI
First we install our test environment. (For this you can download the virtual machine and the ISO image from http://www.duckademy.com/downloads.) Then we look for a remote and a local file inclusion. With the help of the examples you will understand the reason behind these kinds of vulnerabilities.
Section 2 - Backdoor upload techniques
We examine different possibilities to upload backdoors to be able to call our code through the LFI attack. We will upload backdoors to webpages with different picture testing capabilities and will upload a file when the PUT http method is enabled, and insert a backdoor if we can write to a database. We will also upload a backdoor when there is no dedicated writing possibility (ex. log file poisoning).