Jump to content

Rfi/lfi Explaination


Recommended Posts

This is a guide I wrote for my board: www.leethackers.org.

What is RFI?

RFI or also known as Remote File Inclusion can be used to execute php code from a remote host. This can be really useful. For example:


Here we see, it takes the text of the text file: "index.txt" and places it into index.php.

It is the include() PHP Function. Sadly, no-one thought about the security while doing this. As I already said, it gets the text of index.txt and places the code into the index.php. What if we change the index.txt to a Remote server for example: www.t00ls.org/r57.txt <--- This is a web shell. So basically, it should look like this now:


If the target is vulnerable, you should see a web shell on the page without injecting it or uploading a file! That easy.

What is LFI?

LFI or also known as Local File Inclusion can be used to display sensitive information from a specified file on the webhost. The concept is almost the same like RFI. The only thing that is different, the files are on localhost. For example, we have this page:


So it shows the contact.php form. Now let us try this:


If you get a page with users, then this page is vulnerable to LFI. The passwords are displayed as 'x''s though. Try to check the 'shadow' File. So do this:


This file is normally not readable for the users. It is only readable for 'root'.

What you could try, is getting the config.php file that is mostly located in the include folder. so:


If you have got the details for the DB (server, username, password, database) you can connect to it and get the administrator password from the users or w.e table.

Hope this small explaination helped you a bit!

Link to comment
Share on other sites

For some reason I cannot edit my post.. well, here is a small update...

PHP coders usually use this code:

   $color = 'blue';
   if (isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   include( $color . '.php' );

Now, they think they're safe because the file extension must be ".php", WRONG!. All you have to do is put '' on the end of the URL, this will ignore including 'php' or any other file extension. This is called null byte injection.



I am willing to post this image, because I noticed on IPBoard forums it is getting replaced.

So just add this:


after the URL. Just after /etc/shadow[NULL BYTE INJ HERE]

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...