In this Tutorial,
I'll explain
Intro: What is RFI??
1.Understanding RFI
2.Finding RFI vulnerabilities
3.Exploiting RFI vulnerabilities
4.Securing RFI vulnerabilities
RFI means Remote file inclusion.
RFI is a type of web application security hole.
On the net, there are so many sites which are vulnerable to RFI.
In this tutorial, I am going to show you RFI with PHP.
PHP is a web script engine. Its the most widely used one so that's why I am using it in this tutorial.
Learn more about PHP: http://php.net
http://en.wikipedia.org/wiki/PHP
To understand what file inclusion is I am going to show a little example.
This is an example site in PHP:
PHP Code:<?php $content = “Hello and welcome to the site”;?><html><head><title>Hello world</title></head><body>
<?php echo($content); ?>
</body></html>
This is a very basic page. But as your page expands you might
want to put the individual pages in their own files and include them in
the main file depending on user input.
This way, when you got pages with perhaps 10k lines of PHP code you don't have to use hours looking
for the bit of code you want to edit/view.
By user input I mean things like a URL GET argument. A GET argument could look like this:
HTML
www.site.com/index.php?page=index
In the above example the PHP script would see the “page=index” and then show the content of “index”. The “index” can be anything, can be a file, SQL value, hard-coded variable. If it is a file, then the PHP script is most likely using the include() function and that is file inclusion.
Continue Read
