Skip to content

moeinfatehi/rfi_vulnerability_scenarios

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Docker Image Size (latest by date) Docker Pulls

RFI Vulnerability Scenarios (challenges)

This repository is a Dockerized php application containing some RFI vulnerability challenges.

OWASP References:

  • Classification: Web Application Security Testing > 07-Input Validation Testing
  • WSTG: Testing for Remote File Inclusion (WSTG-INPV-11)

Bypass Techniques

The ideas behind challenges are:

  • PHP code injection using RFI
  • RFI to RCE (Remote Command Execution)
  • PHP filter bypass

Quick Start Using Docker

Using docker hub (Quickest):

  1. To access the challenges, you need docker installed.
  2. Run this command to pull and run the image from docker hub:
    sudo docker run -d -p 9004:80 moeinfatehi/rfi_vulnerability_scenarios
  3. Access the challenges with this URL: http://localhost:9004

Help:

-d: detached mode (You can use terminal after running command
-p: specifies port (you can change 9004 to whatever you want. If you don't have a web server on your host, set it to 80)

Using docker-compose:

  1. To access the challenges, you need docker and docker-compose installed.
  2. Clone the repository
    git clone https://github.com/moeinfatehi/rfi_vulnerability_scenarios.git
  3. Open the main directory of the project (where docker-compose.yml file exists) and run: docker-compose up
  4. Access the challenges with this URL: http://localhost:9004

Attention

  • Do not host these challenges without docker on your main operating system and web server, because any of these challenges are critically dangerous ones, if any hacker can access these challenges on your host webserver, your main OS can be attacked in different ways.
  • Using docker-compose which is described above will not have these type of impacts.

Disclaimer

This project is for Educational purpose ONLY. The usual disclaimer applies, especially the fact that I'm not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these project you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of this program is not my responsibility.

Hack and have fun !

If you have any further questions, please don't hesitate to contact me via my twitter account.