Lockdoor Framework

A Penetration Testing Framework

# Tactical Fuzzing - FI & Uploads

Local file inclusion

Core Idea: Does it (or can it) interact with the server file system?

[Liffy] (https://github.com/rotlogix/liffy) is new and cool here but you can also use [Seclists] (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt):

Malicious File Upload

This is an important and common attack vector in this type of testing. A file upload functions need a lot of protections to be adequately secure.

Attacks:

Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
Execute XSS via same types of files. Images as well!
Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
Bypass security zones and store malware on target site via file polyglots

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

content type spoofing
extension trickery
[File in the hole! presentaion] (https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf)

As referenced file polyglots can be used to store malware on servers! [See @dan_crowley ‘s talk] (http://goo.gl/pquXC2) [and @angealbertini research:] (corkami.com)

## Remote file includes and redirects

Look for any param with another web address in it. Same params from LFI can present here too.

Common blacklist bypasses:

escape "/" with "/" or “//” with “//”
try single "/" instead of "//"
remove http i.e. "continue=//google.com"
“//\” , “|/” , “/%09/”
encode, slashes
”./” CHANGE TO “..//”
”../” CHANGE TO “....//”
”/” CHANGE TO “//”

Redirections Common Parameters or Injection points:

dest=
continue=
redirect=
url= (or anything with “url” in it)
uri= (same as above)
window=
next=

RFI Common Parameters or Injection points:

File=
document=
Folder=
root=
Path=
pg=
style=
pdf=
template=
php_path=
doc=

Lockdoor Framework

Local file inclusion

￼￼Malicious File Upload

Malicious File Upload