A guy called ShiroHige is trying to hacking my website.
He tries to open a page with this parameter:
If you look at that text file it is just a
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>
So what exploit is he trying to use (WordPress?)?
I know he is trying use RFI.
Is there some popular script that are exploitable with that (Drupal, phpBB, etc.)?
The vulnerability the attacker is aiming for is probably some kind of remote file inclusion exploiting PHPâ€™s
include and similar functions/construct that allow to load a (remote) file and execute its contents:
Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only,
readfile()is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.
Note that using
readfile does only avoids that the loaded file is executed. But it is still possible to exploit it to load other contents that are then printed directly to the user. This can be used to print the plain contents of files of any type in the local file system (i.e. Path Traversal) or to inject code into the page (i.e. Code Injection). So the only protection is to validate the parameter value before using it.
See also OWASPâ€™s Development Guide on â€œFile System â€“ Includes and Remote filesâ€ for further information.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki