Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

RFI question


jmort47's Avatar
Member
0 1

If you try an RFI using something like

/?file=C:\ftp\stuff\shell.php

would that grant reverse access to your local drive while you had your script running?

The reason I ask, is because I was trying an RFI in a few different places, and right after trying it on a particular page, my webcam turned on. My script definitely doesn't have anything to do with webcams. And I did open it or anything. It kinda spooked me.

Any thoughts?


rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

I'm not really sure what you're asking here man.

It would be inadvisable to try to exploit an RFI on some website, by using a shell that's traceable back to your own computer for sooooo many reasons.

Also, if you saved a shell.php in a local directory, that's accessible online via some server package you're running, then unless it's password protected, the whole internet can access it.


jmort47's Avatar
Member
0 1

I'll pm you


elmiguel's Avatar
Member
2,795 1

Beware of honeypots! Your RFI could have reverse affects in such that you executed a exploit that, without fully knowing, could be uploading the script that is being injected. This in return letting you exploit yourself to the so called "victim". If I was a malicious hacker I would do the following:

Create a honeypot to allow you to exploit my so called website. Allow you to use "RFI" and really be uploading the shell and gathering your info at the same time, thus using your exploit against you.

Since you have this locally, so bad by the way, and you do not fully understand the shell in which you are using you are basically telling the real attacker "Hey here I am, and go ahead and do what you will to my computer!"