How to know if an RFI/LFI attack was successful?

Information Security Asked by user226295 on December 31, 2021

Let’s say that an attacker wants to search websites for RFI/LFI vulnerability with a script, he’s fuzzing the URL with a list of remote/local files. And he prints the headers that return from the request. How can the attacker know when the RFI/LFI was successful?

Is the content-length header can tell us something?

If RFI/LFI does not work on one (valid) file, does that mean there is no chance of this attack at all? Or can I keep trying other files?

2 Answers

LFI/RFI is code execution attacks (due to the code being executed from insute the PHP include or require function calls. Thus you can make the code perform any action you can measure.

  • For remote file include you should be able to observe the incoming web request to the URL and get a shell.
  • For local file include you should get shell or print a specific string.

If by any chance you're confusing RFI/LFI with the SSRF/LFD bug classes then you can still tell by watching the incoming URL for SSRF or for LFD requesting a file with known content and look for that content in the response (f.ex /etc/passwd should match root:)

Answered by wireghoul on December 31, 2021

Is the content-length header can tell us something ?

It may depend on the particular server and application. In many cases, the HTTP response will contain the contents of the requested file itself, or the output of executing it. So usually, you'd just confirm that a file was returned.

If the content length for an invalid file is 0, and a valid file is > 0, then that could work. I don't know if it would be that cut and dry, however, but maybe you can identify a baseline value vs a valid file hit. But maybe instead the particular application instead returns an HTTP 500 code if the file is invalid. It's probably good to try files that you know exist, so you can calibrate the expected response based on how the server responds.

If RFI/LFI does not work on one (valid) file, does that mean there is no chance of this attack at all?

Depends how you define "valid". If the file exists but you do not have permission to read it, then you will probably get a negative response. There also may be path filtering or a forced file extension; in these cases you may only be able to view certain files.

Answered by multithr3at3d on December 31, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP