LFI / RFI

RFI vulnerability in PHP application

Medium
20 min

In this exercise, we verify the RFI vulnerability (Remote File Inclusion) in the target application and exploit it by executing our own PHP code in the application. The Remote File Inclusion vulnerability is very similar to the LFI vulnerability discussed in the previous module, but the difference is that in RFI vulnerabilities, we can include PHP code on a page that is located at a completely different address. Therefore, we can serve our own PHP code for the application to execute. This vulnerability is considerably rarer, especially nowadays, but also much easier from the attacker's perspective.

Start by launching the task below and follow the steps at your own pace. Also provided is the source code of the application where the vulnerability is located.

RFI vulnerability in PHP application

Exploit the vulnerability and take control of the server.

Objective

Take control of the server and read the flag.

Exercises

Flag

Find the flag from the lab environment and enter it below.

<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><title>Mythical Encyclopedia </title></head><body><?php
    if (!isset($_GET["country"])) {
      include("languages.php"); 
    }
    else {
      echo "<h1> Mythical Encyclopedia</h1> &quot;; } if (isset($_GET[&quot;country&quot;])) { $country = $_GET[&quot;country&quot;]; if ($country == &quot;us&quot;) { $file = &quot;./us.php&quot;; } else if ($country == &quot;fr&quot;) { $file = &quot;./fr.php&quot;; } else if ($country == &quot;fi&quot;) { $file = &quot;./fi.php&quot;; } else { $file = $country; } include($file); } ?&gt;</body></html>

Vulnerability Assessment

The source code for this task is almost the same as the previous one, with the difference that in this task, in the else clause, we do not set ./ marks. The lab is also configured to allow external addresses when using the include function. If you try the same approach in the previous task, you will notice that using external addresses is not possible.

Let's start by verifying that the same vulnerability can be found in this application by executing the following query.

https://www-xjmryxay62.ha-target.com/index.php?country=../../../../etc/passwd

Great! - We are able to include any file in the system and read it on the page. Next, let's continue by performing the same LFI attack as in the previous module. Set the following PHP code in the access.log file and include that file.

PHP code

<?php phpinfo(); ?>

Curl command that can quickly inject the desired php code into the server log

curl -H "User-Agent: <?php phpinfo(); ?>" https://*.ha-target.com/

Finally, we include the access.log file

phpinfo - function returns us the PHP configurations of the server instance successfully. With this, we can check how the system is configured and it is very useful when testing PHP applications. When it comes to RFI vulnerabilities, this requires special configuration in the system to include PHP code using external services. Specifically, if you want to use URL addresses in the include function, this requires that the allow_url_include configuration is enabled. In this case, this is true. However, it is not enabled by default anymore.


Exploiting Vulnerability

Since we can input URLs to the include function, we can execute an RFI attack in the following way. First, let's create a file rce.php in the attacker's terminal and save the following PHP code in it.

<?php echo passthru('id'); ?>

Let's then start our own web server through which we can serve the mentioned file. This way, the target server is able to download the file. (Remember to check your own IP address)

Finally, we include the rce.php file in the following way.

We can now read the flag /flag.txt. You can try independently to create an interactive command-line connection to the server.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.