Pranaam to all _/\_
In this blog post, I am going to demonstrate the technique of exploiting Remote File Inclusion (RFI) vulnerability in PHP applications which is vulnerable to "File Inclusion attack". We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL.
PHP and SMB share file access
In PHP Configuration file, "allow_url_include" wrapper by-default set to "Off" which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if "allow_url_include" and "allow_url_fopen" both are set to "Off". This behaviour of PHP can be abused to load remotely hosted PHP web shell from SMB share.
Attack scenario outline
When vulnerable PHP application code try to load PHP web shell from attacker controlled SMB share, SMB share should allow access to the file. Attacker need to configure SMB server with anonymous browsing access enable on it. So, once vulnerable application try to access PHP web shell from SMB share, SMB server will not ask for any credential and PHP code of web shell will be included by the vulnerable application.
Let's start, first of all I reconfigured PHP environment and disabled "allow_url_fopen" as well as "allow_url_include" in php.ini file. Later configured SMB server with anonymous read access. Once SMB share is ready, exploit the vulnerable application
PHP environment settings
Machine which has vulnerable code hosted on it has "allow_url_fopen" and "allow_url_include" set to "Off"
Screenshot of current configuration of the PHP version "5.5.11":
Before proceeding, let's make sure PHP code is not allowing Remote File Inclusion when we try to access web shell hosted on HTTP.
Application is throwing error and RFI is not happening when I tried to include PHP web shell from remote host.
Configuring the SAMBA server with anonymous read access (Linux Machine)
Install SAMBA server using below mentioned command:
Create SMB share directory (in my case /var/www/html/pub/)
Configure permissions on newly created SMB share directory:
Run below mentioned command to remove default content of SAMBA server config file
Put below mentioned content in file '/etc/samba/smb.conf'
Now, restart SAMBA server to apply new configuration spcified in config file /etc/samba/smb.conf
Once SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials.
In my case, SAMBA server IP is 192.168.0.3, I need to access SMB share in Windows file explorer as mentioned below:
Hosting PHP web shell in SMB share
Awesome, SMB share is accessible and showing that directory 'ica' is present.
Now, host PHP shell in directory '/var/www/html/pub' which is the directory of the SMB share diretory 'ica'.
Once we have PHP shell in directory '/var/www/html/pub', access the directory SMB share directory 'ica' using Windows file explorer.
You will see PHP shell is present is the SMB share directory. In my case it is box.php
Attacking the File Inclusion vulnerable parameter
Perfect, let's use this PHP shell SMB link and browse it using vulnerable PHP code.
Dang Dang! PHP vulnerable code fetched the web shell from SMB share and executed the code \m/ on application server. We have bypassed the restriction and included the web shell hosted on remote host.
--==[[ With Love from Team IndiShell ]]==--
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
Great read thank you
ReplyDelete