co4ie Posted April 4, 2012 Report Posted April 4, 2012 Anatomy of an RFI/LFI Attack In yesterday's blog, we described how an RFI/LFI attack worked in the case of militarysingles.com. How do they work in general? Today's blog attempts to describe how these attacks works in the wild. We will show how malicious code can be uploaded to the server. Our hope from this exercise?Step 1: Take an innocent jpg image and some malicious code: Why pictures? Because many sites (such as militarysingles) allow only picture upload and no other file types. Here's a malicious code example:This specific code was used to find vulnerable servers to RFI and would likely get detected by most anti-virus packages available today. This simple code instructs the server to concatenate the strings “FeeL” and “CoMz” in both the ‘echo’ and ‘die’ functions, write the strings back to the user and exit the current script. If the user will see these strings in the response from the server, he can know that the server is vulnerable to RFI.Step 2: Copy and paste the malicious code in the Camera maker property: Step 3: Load the infected image to a web server.Step 4: Use the URL of the infected image as an input to the vulnerable server: Note the ‘FeeLCoMzFeeLCoMz’ output received from the server. In order to have better immunity to anti-virus software, one can modify step 2:What was done? You divide the malicious code into two parts. Paste one part in the Camera maker property and the second part in the Camera model property. This will produce the same infection as before--with zero antivirus detection. Also, the picture still look benign to the eye and valid from the technical point of view. Quote