[PDF] FYI: You got LFI




PHP internals

ution process

PHP include function

Malicious File Includes

Classic RFI

Classic RFI “in the wild”

Advanced RFI using PHP streams

Malicious File Includes

Adding PHP code to log files

Uploading use

MFI in the wild

Setup and Methodology

RFI in the wild

Attack sources analysis

Shell hosting URLs analysis

Shells analysis


About Imperva

PHP streams and wrappers

[PDF] HTTPS Bicycle Attack


It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a Cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application). The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle. The paper furthermore gives insight in how very small differences in the length of intercepted (encrypted) GPS coordinates can be used to estimate the location on the world map for a particular encrypted coordinate. Another example demonstrates that differences in length of intercepted (encrypted) IPv4 addresses are bound to specific IP ranges. The paper concludes with a set of proposed mitigations against this attack.