Introduction

In certain instances we need to grab the contents of files that are either on the local filesystem or remote locations. An example I can think of is a simple avatar/profile picture that gets stored on the local file system. Usually this doesn't happen anymore but it's easy to demonstrate our issue.

This can go wrong if the server is not protected properly and will include any file the attacker wishes. In severe cases this can even lead to remote code execution.

Make a connection

THE SERVER GETS ERASED EVERY 24 HOURS

• [ ] FTP connection: hackxpert.com
  • [ ] User: Training
  • [ ] Password: test
• [ ] Create a new file on the server
  • [ ] Use “nickname.php” for example “rat.php” where the nickname can be anything, as long as you can copy and paste it

Let's create an RFI

Create a file on the server with the following content. Name it anything you'd like, just remember the name for later.

<?php
$filePath = $_GET["field2_name"];
$url = $filePath;

$file = fopen($url, "r");
$filecontent = fread($file,1024);

echo '<div class="comment">' . $filecontent . '</div>';

?>
<form id="comment_form" method="GET">
<input type="text" class="text_cmt" name="field2_name" id="file"/>
<input type="submit" name="submit" value="submit" id = "getData"/>
<input type='hidden' name='parent_id' id='parent_id' value='0'/>
</form>

Let's hack it

We can easily hack this by requesting "https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/bitquark-subdomains-top100000.txt"

It will only grab the first 1024 bytes but it’s still a full RFI and I bet you can figure out how to grab more data.

Let's secure it

Securing this is very hard. We can give some general tips but it's usually best to follow our general tips in the next section.

Tips

• Preferably, do not allow the user to control any paths (Including hidden fields and parameters)
• If you must, only allow the user to enter part of the path and validate it properly
• These filters are best done on a white-list basis