Writeups IO | Technical Analysis of "Exploiting RFI in PHP: Bypass Remote URL Inclusion Restriction"

Technical Analysis of "Exploiting RFI in PHP: Bypass Remote URL Inclusion Restriction"

Overview:
The write-up by Mannu Linux delves into techniques for exploiting Remote File Inclusion (RFI) vulnerabilities in PHP applications, specifically bypassing restrictions often in place to prevent such exploits. The exploitation centers on turning Local File Inclusion (LFI) into RFI by leveraging PHP wrappers and manipulating server behaviors.

Key Technical Details:

RFI and its Restrictions:
Remote File Inclusion vulnerabilities allow an attacker to include remote scripts via include or require statements in PHP. However, many servers restrict this by disabling the allow_url_include directive.
Bypassing allow_url_include Restriction:
Even with allow_url_include set to Off, attackers can still exploit LFI vulnerabilities to include remote code indirectly. The write-up introduces several methods:
PHP Stream Wrappers:
PHP stream wrappers, particularly the data and input wrappers, facilitate the inclusion of remote payloads without relying on allow_url_include. These wrappers treat URLs as data streams, allowing for creative bypasses.
- Data Wrapper Exploitation:
  Attackers can use a Base64 encoded payload with the data URI scheme. The payload is included directly through the include parameter. For example: php include 'data:text/plain;base64,PD9waHAgZWNobyAnSGVsbG8gV29ybGQnOyA/Pg=='; This input includes the Base64 encoded PHP code to be executed.
- Input Wrapper Exploitation:
  This approach works by injecting the payload into an HTTP request and using the php://input wrapper to read from the request's body. For example: php POST /index.php?file=php://input Body: php <?php system('ls'); ?>
Leveraging Local File Inclusion:
The key method of transforming LFI into RFI involves placing malicious code in a location the server can read, like log files or session files, which are then included by exploiting LFI.
Log Poisoning:
By sending crafted HTTP headers, the attacker injects PHP code into the server's log files. For instance, injecting: <?php system('cat /etc/passwd'); ?> into a User-Agent header could make the log file include executable PHP code. The LFI vulnerability then helps to include that log file, executing the payload.
Server-Side Request Forgery (SSRF):
Combining SSRF vulnerabilities with LFI can facilitate RFI. If an application allows SSRF, it can fetch internal services, and if coupled with an LFI, it can read from those services including remote scripts indirectly.

Key Techniques and Code Examples:

Base64 Encoded Data Include: php include 'data:text/plain;base64,PD9waHAgZXZhbCgkX0dF...'; This allows including remotely fetched data as a PHP script.
Php://input Exploit: An HTTP request such as: ```http POST /vulnerable.php?file=php://input HTTP/1.1 Host: target.com Content-Length: 19

`` Will execute the PHP code<?php phpinfo(); ?>`.

Remote Log Poisoning & Inclusion:
Injecting into User-Agent: User-Agent: <?php system('cat /etc/passwd'); ?>
Exploiting LFI: php include '/var/log/apache2/access.log';

Key Takeaways:

PHP Wrappers: Understanding PHP stream wrappers (data, input, etc.) is crucial when defending against sophisticated inclusion attacks.
Log Poisoning: Logs can be an attack surface. Sanitize and restrict direct access to logs.
Combining Exploits: Combining LFI with SSRF or other techniques can effectively bypass URL inclusion restrictions.
File Inclusion: Disabling allow_url_include is not comprehensive protection. Perform additional mitigation like input validation and output sanitization.

Conclusion:

The write-up underscores the limitation of merely changing PHP configurations to secure against RFIs. Comprehensive scanning, detection, and employing defense-in-depth strategies are key. The exploitation techniques highlighted remind us that seemingly minor misconfigurations can lead to significant vulnerabilities when combined creatively by attackers.

For full details, refer to the original blog post here.