Author Topic: Remote File Inclusion (RFI) (Read 5956 times)

ande · « **Reply #15 on:** August 05, 2011, 05:13:25 PM »

@1Mirek:

That may be a far short text, but like I pointed out in one of your other topics: This is to much hack-for-the-sake-of-hacking and not for the sake of learning anything. You have to build your ground information first. Ofc, you are welcome to learn the straight forward way to, but you will miss out on a lot of other information needed to understand the whole picture.

1Mirek · « **Reply #16 on:** August 05, 2011, 06:35:46 PM »

hehe Ande no need to worry about me, I know very well RFI, LFI, SQLi...

Infinityexists · « **Reply #17 on:** February 19, 2012, 07:15:37 PM »

AWesome tutorial , i had a good experience in PHP but never thought that i can can include external file to the victim server, thanks for great tutorial

Factionwars · « **Reply #18 on:** February 20, 2012, 01:43:37 PM »

Quote from: Infinityexists on February 19, 2012, 07:15:37 PM

AWesome tutorial , i had a good experience in PHP but never thought that i can can include external file to the victim server, thanks for great tutorial

Programmers like that should be prisoned, or not, so we keep the fun

Wolf · « **Reply #19 on:** February 20, 2012, 03:54:54 PM »

Great tut

Very easy to understand.

dataspy · « **Reply #20 on:** April 04, 2012, 02:28:29 AM »

Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example

Code: [Select]

<?php 
$Redirection = array('View','Edit','Delete');

    if(isset($_GET['Action']))
    {
        if(($_GET['Action'] == "View") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("ViewRecord.php");
        }
        elseif(($_GET['Action'] == "Edit") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("EditRecord.php");
        }
        elseif(($_GET['Action'] == "Delete") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("DeleteRecord.php");
        }
        else
        {
            do something
        }
    }
    else
    {
        require("index.php"); 
    }
    ?>

I haven't tried to exploit it yet but I think it would work

ande · « **Reply #21 on:** April 04, 2012, 04:19:28 PM »

Quote from: dataspy on April 04, 2012, 02:28:29 AM

Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example
Code: [Select]
<?php $Redirection = array('View','Edit','Delete'); if(isset($_GET['Action'])) { if(($_GET['Action'] == "View") && (in_array($_GET['Action'], $Redirection, TRUE))) { require("ViewRecord.php"); } elseif(($_GET['Action'] == "Edit") && (in_array($_GET['Action'], $Redirection, TRUE))) { require("EditRecord.php"); } elseif(($_GET['Action'] == "Delete") && (in_array($_GET['Action'], $Redirection, TRUE))) { require("DeleteRecord.php"); } else { do something } } else { require("index.php"); } ?>
I haven't tried to exploit it yet but I think it would work

That is not necessary at all, after you have done a if($n == "derp) you dont need to do a in_array() as well.

dataspy · « **Reply #22 on:** April 04, 2012, 04:56:33 PM »

Thanks, yep I see how that is redundant

Factionwars · « **Reply #23 on:** April 04, 2012, 10:36:16 PM »

Quote from: dataspy on April 04, 2012, 04:56:33 PM

Thanks, yep I see how that is redundant

If you keep the inarray, you can shorten it up like a baws, just look if the requested page is in the array, if yes include it and show it.

bio_n3t · « **Reply #24 on:** April 07, 2012, 02:50:50 PM »

And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you

ande · « **Reply #25 on:** April 07, 2012, 10:17:13 PM »

Quote from: bio_n3t on April 07, 2012, 02:50:50 PM

And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you

Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.

Droaxenius · « **Reply #26 on:** April 10, 2012, 12:28:09 PM »

Thank you ande.
Now i remember how to do RFI and LFI :>

Great tutorial!

bio_n3t · « **Reply #27 on:** April 11, 2012, 03:02:58 PM »

Quote from: ande on April 07, 2012, 10:17:13 PM

Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.

But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

ande · « **Reply #28 on:** April 14, 2012, 12:46:13 AM »

Quote from: bio_n3t on April 11, 2012, 03:02:58 PM

But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

I am pretty sure, I don't have time to test. But the idea is that ../ will move you backwards in the path until you hit the root directory, then it adds etc/passwd and %00 is the null char so it and everything after it will be discarded.

bio_n3t · « **Reply #29 on:** April 14, 2012, 04:22:08 PM »

I have done a simple test on Windows 7 and it doesn't work, may be on Linux works I don't know, or I have done something wrong!
We are waiting for other answers!

News:

Author Topic: Remote File Inclusion (RFI) (Read 5956 times)

ande

Re: Remote File Inclusion (RFI)

1Mirek

Re: Remote File Inclusion (RFI)

Infinityexists

Re: Remote File Inclusion (RFI)

Factionwars

Re: Remote File Inclusion (RFI)

Wolf

Re: Remote File Inclusion (RFI)

dataspy

Re: Remote File Inclusion (RFI)

ande

Re: Remote File Inclusion (RFI)

dataspy

Re: Remote File Inclusion (RFI)

Factionwars

Re: Remote File Inclusion (RFI)

bio_n3t

Re: Remote File Inclusion (RFI)

ande

Re: Remote File Inclusion (RFI)

Droaxenius

Re: Remote File Inclusion (RFI)

bio_n3t

Re: Remote File Inclusion (RFI)

ande

Re: Remote File Inclusion (RFI)

bio_n3t

Re: Remote File Inclusion (RFI)