Hacker, Researcher and Author.

Facebook Hacking: Remote File Inclusion Attack



Facebook being the world's largest social networking website has became the major target for the hackers, attackers and other malicious users. Facebook has hired the team world's leading security experts in order for them to improve their website's security. Moreover facebook also pays 500$ to any one who can identify any sort of vulnerability inside facebook.
The facebook security team has done a very great job in improving and taking facebook's security to the maximum level. However, the problem is that Facebook applications are not coded or monitored by facebook, and it's also not possible that facebook to monitor every single app for vulnerabilities. These facebook apps are mostly coded by common programmers who are not well aware of how a code is written securely. Which leaves facebook apps poured with common vulnerabilities like XSS ( CROSS SITE SCRIPTING), Clickjacking, Remote file inclusion etc.

Out of all of these web application vulnerabilities, Remote file inclusion is a very common web application attack which occurs because the application is not able to validate included files. According to imperva, 21% of the apps on facebook are vulnerable to remote file inclusion attack.

Here is how the attack is carried out:

Step 1 - The attacker creates a malicious jpg file, because the upload of PHP is mostly banned on webservers with user level privileges. Therefore the hacker renames a PHP shell to some thing like shell.php.jpg in order to upload it to the webserver.

Step 2 - Next the hacker exploits RFI vulnerability in order to reference malicious JPG, which paramtere is something like.

.php?page=url of your malicious image

Step 3 - Next the attacker takes control of the server by just going to the url of the JPG image.

Mitigation:

Imperva suggests a four step mitigation process which can be found inside the image below, However it includes the deployment of web application firewall, but what if some one is not using a WAF, However will he be protected.

Exploiting RFI And Mitigation


You might also like:

6 comments:

  1. Really Nice one
    but Image explanation will help for n00bs

    Regards
    M.Gazzaly
    http://www.gazzaly.info

    ReplyDelete
  2. sv11@ if you can give a video tutorial with details then it will be much more helpful.... As most of us are beginner so its not receptive to us with these technical terms....
    Hope a reply

    ReplyDelete
  3. @Anonymous 2
    I will make a tutorial soon.

    @Gazzaly
    Really didn't understand what you were trying to say?

    ReplyDelete
  4. hi could u please help me hack acount of my friend please ir is my email anniejoymarcelo@yahoo.com

    ReplyDelete
  5. hi! cant you pls help me to learn. how to hack a fb account? this is important not only a game. is about a mistres of my friend husband. thank you search me in fb account maria annah

    ReplyDelete
  6. u can make fake fb page and send it to victim or u can install a keylogger in the pc....

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.