Understanding phpCDB 1.0 Local File Inclusion

Understanding phpCDB 1.0 Local File Inclusion
What this paper is
This paper details a Local File Inclusion (LFI) vulnerability found in phpCDB version 1.0. LFI vulnerabilities allow an attacker to include and execute files from the server that they should not have access to. In this case, the vulnerability is in how the lang_global parameter is handled by several PHP scripts within the phpCDB application.
Simple technical breakdown
phpCDB is a web application written in PHP. Web applications often use parameters in URLs to control what content is displayed or processed. The lang_global parameter in phpCDB is intended to specify a language file to be loaded. However, due to insufficient sanitization, an attacker can manipulate this parameter to point to arbitrary files on the server. By appending a null byte (%00) after the file path, the attacker can effectively terminate the string processing early, tricking the application into including a file that wasn't intended.
Complete code and payload walkthrough
The provided exploit paper does not contain executable code or shellcode. Instead, it lists Proof of Concept (PoC) URLs that demonstrate how to trigger the vulnerability. The core of the exploit lies in manipulating the lang_global parameter.
The PoC examples provided are:
[phpcdb_path]/firstvisit.php?lang_global=[LFI%00][phpcdb_path]/newfolder.php?lang_global=[LFI%00][phpcdb_path]/showfolders.php?lang_global=[LFI%00][phpcdb_path]/newlang.php?lang_global=[LFI%00][phpcdb_path]/showinnerfolder.php?lang_global=[LFI%00][phpcdb_path]/writecode.php?lang_global=[LFI%00][phpcdb_path]/showcode.php?lang_global=[LFI%00]
Explanation of the PoC:
[phpcdb_path]: This is a placeholder for the base URL of the phpCDB installation on the target server (e.g.,http://target.com/phpcdb/).firstvisit.php,newfolder.php, etc.: These are specific PHP script files within the phpCDB application that are vulnerable.?lang_global=: This indicates the start of the query string and the name of the vulnerable parameter.[LFI%00]: This is the crucial part of the exploit.[LFI]: This is a placeholder for the path to the file the attacker wants to include. For example, to include/etc/passwd, the attacker would use../../../../etc/passwd.%00: This is the URL-encoded representation of the null byte character. In many PHP versions and configurations, a null byte can terminate string operations prematurely. When the application tries to include a file based on thelang_globalparameter, the null byte causes it to stop processing the string at that point. If the application was expecting a file likelang/english.php, and the attacker provides../../../../etc/passwd%00, the application might attempt to include../../../../etc/passwdinstead of a legitimate language file.
Mapping list:
[phpcdb_path]/<vulnerable_script>.php?lang_global=[LFI%00]-> Practical Purpose: To trigger the LFI vulnerability by supplying a craftedlang_globalparameter that includes a path traversal sequence (../) followed by the desired file path and a null byte to terminate the string.
Shellcode/Payload:
No shellcode or specific payload is provided in this paper. The "payload" in this context is the file path that the attacker attempts to include. The content of the included file then becomes the effective payload. For example, if an attacker includes a PHP file containing malicious code, that code will be executed on the server.
Practical details for offensive operations teams
- Required Access Level: Typically, an attacker needs to be able to send HTTP requests to the web server hosting phpCDB. No prior authentication is usually required for this specific LFI vulnerability, making it a good candidate for initial web reconnaissance.
- Lab Preconditions:
- A vulnerable instance of phpCDB v1.0 installed on a web server.
- A web server environment (e.g., Apache, Nginx) with PHP enabled.
- The ability to send HTTP requests to the target.
- Tooling Assumptions:
- Web Browser: For manual testing and initial reconnaissance.
- Web Proxy (e.g., Burp Suite, OWASP ZAP): Essential for intercepting, modifying, and replaying HTTP requests. This allows for precise crafting of the
lang_globalparameter. - Command-line tools (e.g.,
curl): Useful for scripting and automating attacks. - Vulnerability Scanners: May identify potential LFI points, but manual verification with a proxy is crucial.
- Execution Pitfalls:
- Null Byte Filtering: Modern PHP versions or web server configurations might filter or disallow null bytes in URL parameters. This would prevent the
%00from working. - Path Traversal Restrictions: The application or server might have security measures in place to prevent directory traversal (e.g.,
../). - File Type Restrictions: The application might expect only specific file extensions (e.g.,
.php,.lang). If the attacker tries to include a non-PHP file, it might be displayed as plain text rather than executed. However, LFI can still be used to read sensitive files. - Web Application Firewalls (WAFs): WAFs can detect and block common LFI patterns, including path traversal sequences and null bytes.
- Incorrect
phpcdb_path: The attacker must correctly identify the base path of the phpCDB installation. - PHP Configuration (
disable_functions): Even if code execution is achieved, certain PHP functions might be disabled, limiting the attacker's capabilities.
- Null Byte Filtering: Modern PHP versions or web server configurations might filter or disallow null bytes in URL parameters. This would prevent the
- Tradecraft Considerations:
- Reconnaissance: Identify the presence and version of phpCDB. Look for common installation paths.
- Parameter Discovery: Use a proxy to observe how the
lang_globalparameter is used in legitimate requests. - Payload Crafting: Experiment with different path traversal depths (
../,../../, etc.) to reach the desired file. - File Inclusion Targets: Prioritize sensitive files like configuration files (
/etc/passwd, application config files), source code files, or even log files if they can be made to contain executable code. - Blind LFI: If direct output isn't visible, techniques like time-based blind LFI or out-of-band data exfiltration might be necessary, though this paper implies direct inclusion.
- Privilege Escalation: If the LFI allows inclusion of a file that can be written to (e.g., a temporary file upload or a script that allows writing), an attacker could potentially upload a web shell and gain remote code execution.
Where this was used and when
This vulnerability was published in February 2010. It targets phpCDB version 1.0. While specific real-world incidents are not detailed in the paper, vulnerabilities of this nature are common in older, unpatched web applications. Exploits for LFI in various PHP applications were prevalent in the late 2000s and early 2010s.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical lesson. Never trust user input. All parameters, especially those used in file operations (like
include(),require(),fopen()), must be rigorously validated and sanitized.- Whitelist Allowed Values: If possible, only allow specific, known-good file names or paths.
- Sanitize Paths: Remove or reject potentially dangerous characters like
../,/,\, and null bytes. - Canonicalize Paths: Resolve symbolic links and normalize paths before using them to prevent traversal.
- Principle of Least Privilege: Run web applications with the minimum necessary file system permissions. This limits the damage an attacker can do even if they successfully exploit an LFI.
- Disable Dangerous PHP Functions: Use
disable_functionsinphp.inito restrict access to functions that could be abused (e.g.,system(),exec(),passthru(),shell_exec()). - Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common LFI patterns. However, WAFs are not a silver bullet and can be bypassed.
- Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions. phpCDB 1.0 is very old and should not be in use.
- Secure Coding Practices: Educate developers on secure coding principles, including the dangers of file inclusion vulnerabilities.
- File Type Restrictions: If an application is designed to include specific file types (e.g., language files), enforce these restrictions at the server level or application logic.
ASCII visual (if applicable)
This vulnerability is primarily about manipulating URL parameters to affect server-side file handling. An ASCII visual can illustrate the flow of a request and how the vulnerable parameter is processed.
+-----------------+ +-----------------+ +-------------------+
| Attacker's |----->| Web Server |----->| phpCDB Application|
| Browser/Tool | | (e.g., Apache) | | (PHP Scripts) |
+-----------------+ +-----------------+ +-------------------+
| |
| Request with crafted URL | Processes
| e.g., ?lang_global=../../../../etc/passwd%00 | lang_global
| | parameter
| |
| v
| +-------------------+
| | File Inclusion |
| | Logic (vulnerable)|
| +-------------------+
| |
| | Tries to include
| | file based on parameter
| v
| +-------------------+
| | Server File System|
| | (e.g., /etc/passwd)|
| +-------------------+
| |
| | Returns file content
| | to the web server
| |
+--------------------------------------------------+
|
v
+-----------------+
| Attacker sees |
| file content |
+-----------------+Source references
- Exploit-DB Paper: https://www.exploit-db.com/papers/11585
- phpCDB Download (SourceForge):
http://sourceforge.net/projects/phpcdb/files/(Note: This is an old link and may no longer be active or host the vulnerable version).
Original Exploit-DB Content (Verbatim)
##############################################################
##phpCDB <= 1.0 Local File Include Vulnerability
##############################################################
Author: cr4wl3r <cr4wl3r\x40linuxmail\x2Eorg>
Download: http://sourceforge.net/projects/phpcdb/files/
##############################################################
PoC:
[phpcdb_path]/firstvisit.php?lang_global=[LFI%00]
[phpcdb_path]/newfolder.php?lang_global=[LFI%00]
[phpcdb_path]/showfolders.php?lang_global=[LFI%00]
[phpcdb_path]/newlang.php?lang_global=[LFI%00]
[phpcdb_path]/showinnerfolder.php?lang_global=[LFI%00]
[phpcdb_path]/writecode.php?lang_global=[LFI%00]
[phpcdb_path]/showcode.php?lang_global=[LFI%00]
##############################################################txt