Articles by "RCE"

Remote File Inclusion (RFI)

Hello Guys! In this article we will learn how to exploit a RFI vulnerability. I hope you have read my previous article on Local File Inclusion, if you haven’t please go and read  that first.

Remote File Inclusion (RFI)

As the name states if the attacker can include a remote file to the victim web app, it is called a Remote File Inclusion Vulnerability (RFI). Take a look at this piece of code:

As you can see in the first line, it extracts the file parameter value from the HTTP request made by the user, while the second line utilities this value to set the file name. If the input is not being sanitized properly it can be used to include malicious file from a remote server. Here’s a vulnerable JSP code,

Again, If the input is not sanitized properly it can be used to include a malicious file from a remote server. RFI is not a common vulnerability at all but it is very dangerous when exploited. Now you must be wondering how to exploit this vulnerability. Hold on, I will demonstrate it with a real life example. We have a URL here,

Lets break things down

  1. is the target website
  2. file.php is a webpage with the parameter view=
  3. For example if the user wants to view a document related to animals, the webpage file.php loads it via the view= parameter.

Take a close look at view= , if it was including local files like view=/files/animals.php we would have test for Local File Inclusion. But as we can see its including files from which is a different website, it means it loads files from other website which means it may include any malicious file too. Enough theory! So here’s the vulnerable parameter 

Now I will try to load an image by submitting its URL like this

See? How easy is that? With a webshell you can take over their website or even the whole server.

Also Read : File Inclusion Attack

Local File Inclusion (LFI) and Remote File Inclusion (RFI)

Today’s article is about Local File Inclusion (LFI) and Remote File Inclusion (RFI).
If you have basic knowledge of SQL injection you probably know how we can inject our SQL queries into a vulnerable parameter.
We take advantage of vulnerable parameters in LFI and RFI too.

In SQL injection, we interact with the SQL database using SQL queries to retrieve sensitive data from the database. But in LFI/RFI we ask the webpage to open something for us, it could be a file or a webpage (a webpage is a file too) from another website.
Enough theory! Now lets see what the heck are LFI and RFI.

Local File Inclusion (LFI)

Take a look a this URL:

The parameter in this case is view= and the value is /images/Haxor.jpg.
It means open.php is a webpage which loads different files (Haxor.jpg in this case) from the server. There can be many sensitive files on the server which can be accessed using open.php if the webpage is vulnerable to LFI.

You can open/execute any type of file (not folders) with LFI, which means you can read logs, configuration files and execute files if a webpage is vulnerable to Local File Inclusion. You can even hack into the server if the server admin is stupid enough to not configure things properly.

Remote File Inclusion (RFI)

What is the difference between Local File Inclusion and Remote File Inclusion?
Well both vulnerabilities can be used to open things but LFI is used to open files from the server where website is hosted (locally) while RFI is used to open files from another server (remotely).
We can easily host a malicious file on our server and use the RFI vulnerability to run it on the victim website.

Take a look at this URL:

By looking at the above URL one would guess that the parameter page= is loading webpages.
It is opening home page, similarly it may open other pages from the website. But if the webpage (get.php) is not programmed properly then a hacker can replace home by his desired webpage like,

If everything goes well then get.php will try to open backdoor.php which will compromise the server (or something else, depends on what’s in it). It makes RFI a deadly vulnerability.

Zaenal Arifin

{facebook#} {twitter#} {google-plus#} {youtube#}

Contact Form


Email *

Message *

Powered by Blogger.
Javascript DisablePlease Enable Javascript To See All Widget