Exploiting Remote File Inclusion with SMB
by Nairuz Abulhul
Recently working on the Sniper machine on hack the box, I came across a technique of exploiting a remote file inclusion on a PHP application with SMB.
Before working on this machine, my understanding was that PHP applications are vulnerable to Remote File Inclusion ONLY when “allow_url_include” and “allow_url_fopen” functions are set to On. However, what I learned is that these restrictions apply only to HTTP and FTP protocols.
- Allow_url_include function allows the inclusion of a remote file using a URL rather than a local file path.
- allow_url_fopen allows data retrieval from a remote server or website.
The inclusion restriction does not apply to SMB UNC paths.
PHP applications can still be vulnerable to an RFI vulnerability even when the above functions are set to Off. We can still attack an application by hosting a PHP file on an SMB share and calling it remotely through loading its SMB URL and bypass the restriction. 🔥
This technique requires configuring the SMB share to be accessible anonymously and set it on read, write, and execute permissions (0700).
As usual, before we get started, we will go over the key concepts before delving into the exploitation part.
- Remote File Inclusion Overview
- Setting up SMB anonymous share
- Exploitation Demo
“ Remote File Inclusion (RFI) is a type of vulnerability most often found on PHP running websites. It allows an attacker to include a remotely hosted file, usually through a script on the web server.
This can lead to something as minimal as outputting the contents of the file, but depending on the severity can lead to arbitrary code execution” . — radware.com
Install Samba if not installed.
if Samba is already installed, go to the configuration file at /etc/samba/smb.conf, and uncomment the profile section to create a sharable directory.
- Profiles — theshare name; in our case, I named the share “RFI.”
- Path — the path to the shareable directory
- Guest OK — for setting guest permissions on the share. Set it to yes to allow for anonymous access.
- Browseable — enables the browsing feature on the directory [OPTIONAL]
- Create mask — for setting the file permissions inside the share directory.
- Directory mask — for setting the directory permissions; in our case, it is 0700 — read, write, and execute.
Add the configuration block to the smb.conf file and restart the samba service.
Now, we have the SMB share configured as required, let’s try to include a PHP code through the remote inclusion vulnerability to see if that would work. The machine I am using for the demo is the Sniper machine on Hack The Box.
As you see above, the PHP application has a visible parameter lang that takes PHP files as its value. Usually, when I see parameters with user-supplied values, I think of testing against file inclusion vulnerabilities, either local or remote (LFI/RFI).
I started fuzzing the parameters’ value by replacing the file extension with different ones such as txt, jpg, asp, etc., to see if other file types are allowed on the server. Then removed the extensions entirely and passed new values while monitoring the server responses and their bytes size.
I noticed the server returns 200 OK status with 5,894 bytes when passing valid files and 2,910 bytes when passing gibberish or non-existing files.
- Valid file = 5894 bytes | 200 OK
- Invalid file = 2,910 bytes | 200 OK
Baselining the responses is very important in helping us understand what files get included and what not.
Now we have a rough idea of what valid and invalid responses look like; let’s try to include a file that already exists on the site “js/index.js” and see if the bytes would change in the response.
Awesome, the file was fetched with a 200 OK response, and the size was 1,718 bytes, a different size than the previous requests, which confirms that the application is vulnerable to file inclusions.
We can now create a one-liner PHP shell and place it on the SMB share [RFI] in the same path we configured in the smb. conf file, and try to call it using the SMB UNC path “\\IP_address\ShareName\FileName.”
- \\ “double backward slashes”
- IP_address = 10.10.14.17
- ShareName =RFI
- FileName =exp.php
As we can see, the file was successfully included through the remote samba share, and we were we are able to run some commands.
Next step, we can upload netcat to the machine through SMB and get a FULL reverse shell. I uploaded mine to C:\Windows\System32\spool\driver\color\ directory.
and Viola !!!!
Since this technique bypasses the regular recommendation of setting up the “allow_url_include” and “allow_url_fopen” functions to Off, mitigating the issue would rely heavily on developers to
- Strongly validate user inputs by whitelisting acceptable inputs and rejecting all others that do not strictly conform to specifications.
- Constantly upgrading PHP versions to the latest available.
About the Author