10 - File Inclusion Prevention

# Intro - The most effective thing we can do to reduce file inclusion vulns is to avoid passing any user-controlled inputs into any file inclusion functions or APIs - A page should be able to dynamically load assets on the back-end, with no user interaction - As noted in the first section of this module, select functions carefully and make sure that no user input is directly going into them - If we cannot change or remove functions, utilize a whitelist of allowed user inputs, while having a default value for all other inputs # Preventing Directory Traversal - The best way to prevent directory traversal is to use your programming language's (or framework's) built-in tool to pull only the filename - For example, PHP has `basename()`, which will read the path and only return the filename portion. If only a filename is given, then it will return just the filename - We should also sanitize user input to recursively remove any attempts of traversing directories, as follows in php: ```php while(substr_count($input, '../', 0)) { $input = str_replace('../', '', $input); }; ``` # Web Server Config - Several configurations may also be utilized to reduce the impact of file inclusion vulns in case they occur - For example, globally disable the inclusion of remote files by setting `allow_url_fopen` and `allow_url_include` to Off within php - Run the web app in a docker container to lock the web app to its web root directory and prevent it from accessing non-web related files - In PHP we can achieve a similar result to above by adding `open_basedir = /var/www` in the `php.ini` file - Furthermore, you should ensure that certain potentially dangerous modules are disabled, like [PHP Expect](https://www.php.net/manual/en/wrappers.expect.php) [mod_userdir](https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) # WAF - The universal way to harden applications is to utilize a Web Application Firewall (WAF), such as `ModSecurity` - When dealing with WAFs, the most important thing to avoid is false positives and blocking non-malicious requests - `ModSecurity` minimizes false positives by offering a `permissive` mode, which will only report things it would have blocked - This lets defenders tune the rules to make sure no legitimate request is blocked # Exercise ## Initial Enum - ping test ![[images/Pasted image 20251221143151.png]] - nmap scans![[images/Pasted image 20251221143156.png]]![[images/Pasted image 20251221143348.png]] - visit page - default starter page ![[images/Pasted image 20251221143304.png]] - ssh into webserver with given creds ![[images/Pasted image 20251221143713.png]] ## Default Apache File Locs - Generic Apache default file locales - Apache log files - `/var/log/apache2` - Apache config file - `/etc/apache2/apache2.conf - Apache php config file location - `/etc/php/X.Y/apache2/php.ini` - where x.y = php version - Apache webroot - `/var/www/html` ## Searching for `php.ini` - `cat /etc/apache2/apache2.conf` ![[images/Pasted image 20251221143532.png]] - `grep` for `php.ini` > nothing ![[images/Pasted image 20251221143613.png]] - `ls -al /var/www/html`![[images/Pasted image 20251221143836.png]] - move to `/etc/php` and look for `php.ini` ![[images/Pasted image 20251221144006.png]] ## Edit `php.ini` to block `system()` - open `/etc/php/7.4/apache2/php.ini` with `nano` and add `system` to the `disable_functions` directive ![[images/Pasted image 20251221144740.png]] - see the below directions from a simple google search![[images/Pasted image 20251221144659.png]] - restart the service ![[images/Pasted image 20251221144847.png]] ## Add `shell.php` to webroot that includes a `system()` related webshell - after looking at the hint, add a php file to `/var/www/html` that contains a php webshell that uses `system()` ```bash echo '<?php system($_GET["cmd"]); ?>' > /var/www/html/shell.php ``` ![[images/Pasted image 20251221145306.png]] - restart the service again with the below command ```bash sudo service apache2 restart ``` ## Attempt to fetch `shell.php` and view `error.log` - use curl to execute the file ![[images/Pasted image 20251221145511.png]] - view log at `/var/log/apache2/error.log` ![[images/Pasted image 20251221145549.png]]