Author Topic: Remote File Inclusion (RFI)  (Read 41192 times)

0 Members and 3 Guests are viewing this topic.

Offline dataspy

  • Peasant
  • *
  • Posts: 99
  • Cookies: 16
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #15 on: April 04, 2012, 02:28:29 am »
Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example
Code: [Select]
<?php 
$Redirection 
= array('View','Edit','Delete');

    if(isset(
$_GET['Action']))
    {
        if((
$_GET['Action'] == "View") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"ViewRecord.php");
        }
        elseif((
$_GET['Action'] == "Edit") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"EditRecord.php");
        }
        elseif((
$_GET['Action'] == "Delete") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"DeleteRecord.php");
        }
        else
        {
            do 
something
        
}
    }
    else
    {
        require(
"index.php"); 
    }
    
?>


I haven't tried to exploit it yet but I think it would work :)


The only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn, like fabulous yellow roman candles exploding like spiders across the stars.
-Kerouac

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #16 on: April 04, 2012, 04:19:28 pm »
Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example
Code: [Select]
<?php 
$Redirection 
= array('View','Edit','Delete');

    if(isset(
$_GET['Action']))
    {
        if((
$_GET['Action'] == "View") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"ViewRecord.php");
        }
        elseif((
$_GET['Action'] == "Edit") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"EditRecord.php");
        }
        elseif((
$_GET['Action'] == "Delete") && (in_array($_GET['Action'], $RedirectionTRUE)))
        {
            require(
"DeleteRecord.php");
        }
        else
        {
            do 
something
        
}
    }
    else
    {
        require(
"index.php"); 
    }
    
?>


I haven't tried to exploit it yet but I think it would work :)

That is not necessary at all, after you have done a if($n == "derp) you dont need to do a in_array() as well.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline dataspy

  • Peasant
  • *
  • Posts: 99
  • Cookies: 16
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #17 on: April 04, 2012, 04:56:33 pm »
Thanks, yep I see how that is redundant :)
The only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn, like fabulous yellow roman candles exploding like spiders across the stars.
-Kerouac

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #18 on: April 04, 2012, 10:36:16 pm »
Thanks, yep I see how that is redundant :)
If you keep the inarray, you can shorten it up like a baws,   just look if the requested page is in the array, if yes include it and show it.
~Factionwars

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #19 on: April 07, 2012, 02:50:50 pm »
And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
   include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #20 on: April 07, 2012, 10:17:13 pm »
And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
   include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you


Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.
« Last Edit: April 07, 2012, 10:18:05 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Droaxenius

  • /dev/null
  • *
  • Posts: 5
  • Cookies: 0
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #21 on: April 10, 2012, 12:28:09 pm »
Thank you ande.
Now i remember how to do RFI and LFI :>


Great tutorial!

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #22 on: April 11, 2012, 03:02:58 pm »
Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.

But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #23 on: April 14, 2012, 12:46:13 am »
But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

I am pretty sure, I don't have time to test. But the idea is that ../ will move you backwards in the path until you hit the root directory, then it adds etc/passwd and %00 is the null char so it and everything after it will be discarded.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #24 on: April 14, 2012, 04:22:08 pm »
I have done a simple test on Windows 7 and it doesn't work, may be on Linux works I don't know, or I have done something wrong!
We are waiting for other answers! :D

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #25 on: April 14, 2012, 04:32:45 pm »
I have done a simple test on Windows 7 and it doesn't work, may be on Linux works I don't know, or I have done something wrong!
We are waiting for other answers! :D

The ../ concept is universal, but /etc/passwd is Linux only. You can try ../../../../../../../windows/system32/drivers/etc/hosts
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #26 on: April 14, 2012, 04:41:35 pm »
Yes I knew that etc/password is only for Linux, I have done a test with a file in the root and now I retry with  ../../../../../../../windows/system32/drivers/etc/hosts%00
and it always says:

Warning:  include() [function.include]: Failed opening 'include/../../../../../../../windows/system32/drivers/etc/hosts' for inclusion (include_path='.;C:\php\pear') in C:\www\aaa.php on line 3  :-\

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #27 on: April 14, 2012, 04:45:19 pm »
Yes I knew that etc/password is only for Linux, I have done a test with a file in the root and now I retry with  ../../../../../../../windows/system32/drivers/etc/hosts%00
and it always says:

Warning:  include() [function.include]: Failed opening 'include/../../../../../../../windows/system32/drivers/etc/hosts' for inclusion (include_path='.;C:\php\pear') in C:\www\aaa.php on line 3  :-\

Windows/linux might be different when it comes to path shortcuts when I think about it. Try ..\ instead of ../ etc.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline bio_n3t

  • Serf
  • *
  • Posts: 21
  • Cookies: -2
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #28 on: April 15, 2012, 10:24:29 am »
I tried again on Windows using ..\ and it doesn't work.
By the way now I have also tried with a linux server and it doesn't work too

http://www.site.com/index.php?page=../../../../../../../etc/passwd%00
 :-\

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Remote File Inclusion (RFI)
« Reply #29 on: April 15, 2012, 11:15:32 pm »
I tried again on Windows using ..\ and it doesn't work.
By the way now I have also tried with a linux server and it doesn't work too

http://www.site.com/index.php?page=../../../../../../../etc/passwd%00
 :-\


This keept anoying me so I did a little bit of poking around. Tried it on this server and on my local machine, so windows and linux. I could include other php files, which is still a pretty serious issue. However, I was not able, like you said, to include entirely custom files like hosts or passwd. Even using the null char trick. Odd thing, I sware that used to work back in the days. Perhaps new php versions or extentions/addons have taken care of it.

On top of that, I want to make it perfectly clear that this does not mean its ok to use such a script.
« Last Edit: April 15, 2012, 11:15:58 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true