Skip to main content

RFI

Low

We start again and in this case we are going to inject a remote file, as an example we are going to use google, as we know that it loads whatever you pass it by parameters we are going to introduce the complete url and see what happens.

url attack

As we can see, google loads our website.

Attack successful

Medium

We change the level and test the google domain again, and it stops working

Attack failed

If we look at the code we notice that it has an srt_replace as in LFI that prevents us from using http or https

// Input validation 
$file = str_replace( array( "http://", "https://" ), "", $file );

But since str_replace is not recursive, we can play with it by changing the way the protocol is written

htthttp://p://google.es

What will happen is that the http:// will be removed leaving the wrapper in place and the attack will work again.

Attack successful

High

In this case it cannot be solved by including a url, so you have to use another vulnerability as a file upload and call the code from that file.