Abusing LFI-RFI for Fun,Profit and Shells

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 27, 2013, 4 p.m. (25 minutes)

This talk is about exploiting the much less discussed Local File Inclusion and Remote File Inclusion these days due to its extinction.The talk moves one step further and focuses on various new methods and strategies which are explained and demonstrated.

The talk looks upon various real world scenarios and introduces new attack vectors and also dives deep into various methods and its demos.

The talk also touches on various PHP streams which could be used to bypass the traditional streams.

It also further looks upon suhosin patch, its bypass and other evasion techniques.

The paper will also talk on the I2RCE.py tool which automates the inclusion process to remote session.

Presenters:

• Francis Alexander
  Francis Alexander is an Information Security Researcher.He has a strong vision and mission of Free & Open Information Security Education for all. His area of interest includes web app & standalone app security, DBMS security, coding tools and fuzzing. He had been selected to speak at Defcon Kerala.

Similar Presentations:

• Diana Initiative 2020 Virtual / It's a Human Thing: Strategies for Navigating Diversity & Inclusion in your Organization