Local File Inclusion attack consists of exploiting a non-protected script on the server to read the content of another file, that is not initially permitted by the application. The following example shows a vulnerable PHP script (index.php).
With such a script, it is possible to read the content of /etc/passwd file, by calling this way:
http://www.somevulnerablesite.com/index.php?page=../../../etc/passwd
Null byte inclusion
The Null byte inclusion () enables to read files on a server, using a Local File Inclusion (LFI) attack. The following PHP example illustrates the attack:
Such a vulnerable script could enable a hacker to access a non-expected file, by calling such an address:
http://www.somevulnerablesite/index.php?page=../../../etc/passwd
MORE HACKS: internet hacking, keyloggers, password hacking
No comments:
Post a Comment