1

I'm performing a static analysis on a PHP code and came across this situation:

include_once SYSTEM_PATH . 'languages/content-' . $_COOKIE ['lang'] . '.php';

If I try to hack with this HTTP request:

GET /en-us HTTP/1.1
Host: xxxx.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: xxx=eng.php/../../../anotherfile
Connection: keep-alive

The response is this:

ErrorException: 
include_once(/export/htdocs/xxxx.com/base/languages/content-eng.php/../../../anotherfile.php): failed to open stream: No such file or directory

The file languages/content-eng.php exists on the server.
The file languages/../../../anotherfile.php exists on the server too (I have access to the file system).

Is there any way to exploit this vulnerability through lang cookie?

techraf
  • 9,141
  • 11
  • 44
  • 62
jyz
  • 113
  • 1
  • 6
  • 1
    Unless you have a subfolder with name beginning with `content-` in the `languages` directory, there is no way for such traversal to work. In your particular case, `content-eng.php/` needs to be a folder, not a file. – Question Overflow Oct 23 '14 at 01:45
  • @QuestionOverflow Yes you're right. Thanks to point that out. – jyz Oct 23 '14 at 10:33

3 Answers3

2

Sigh. Here is the reasoning for me posting a link in lieu of a long answer. Original post wants to inject/disaffect/exploit through the lang variable in cookie:

GET /en-us HTTP/1.1
Cookie: xxx=eng.php/../../../anotherfile

He then states he tried and failed:

ErrorException: 
include_once(/export/htdocs/xxxx.com/base/languages/content-eng.php/../../../anotherfile.php): failed to open stream: No such file or directory

"No such file or directory" to me means one of a few things:

1) His directory traversal is off:

/export/htdocs/xxxx.com/base/languages/content-eng.php
/export/htdocs/xxxx.com/base/languages/**option1/option2/option3**/anotherfile.php

If the structure is exactly as above, there is no directory traversal vulnerability period.

2) eng.php is not detailed enough to know what it does. This would have to be the vulnerable weak link on the chain

He is relying on an error, thinking: "Oh well I have an error, I am headed on the right track"

OP: You could fiddle with the directories a bit more. It is telling you "I can't find this file" the issue becomes "what are you finding" if you state you have access to the machine, the solution I would use would be to place tokens in folders to determine where you are landing:

/export/htdocs/xxxx.com/base/languages/**option1**/token1
/export/htdocs/xxxx.com/base/languages/**option1/option2**/token2
/export/htdocs/xxxx.com/base/languages/**option1/option2/option3**/token3

Then try another POST/GET perhaps:

Cookie: xxx=eng.php/token1
Cookie: xxx=eng.php/token2
Cookie: xxx=eng.php/token3

Cookie: xxx=eng.php/../token1
Cookie: xxx=eng.php/../token2
Cookie: xxx=eng.php/../token3

Cookie: xxx=eng.php/../../token1
Cookie: xxx=eng.php/../../token2
Cookie: xxx=eng.php/../../token3

Just because you got an error, does not mean directory traversal is present. For all you know it's is a global error you are getting. The initial link I sent was to guide you on a "known known" (variable you control) lang.

EDITING FOR SPACE CONSTRAINTS:

OP: "The base is /export/htdocs/yyy.com/base/. The anotherfile.php is in /export/htdocs/xxx.com/anotherfile.php"

Unless I am misinterpreting this:

/export/htdocs/yyy.com/base/

/export/htdocs/xxx.com/anotherfile.php

Are these on separate sites? If xxx.com is your own server/test machine, I'm under the impression you're trying an LFI exploit:

you --> modify cookie (hey, take this anotherfile.php from my machine) --> yyy.com

Again, the reasoning for my initially posting a link in lieu of an answer. If you meant the other way around (typo):

/export/htdocs/yyy.com/base/

/export/htdocs/yyy.com/anotherfile.php

Then you need to modify your insertion to ../../anotherfile or move another file into:

/export/htdocs/yyy.com/base/

munkeyoto
  • 8,682
  • 16
  • 31
  • Yeah I think you hit the point on 1. I mean, localy on the fs I can't do this: `ls -l /export/htdocs/xxx.com/base/languages/content-en-us.php/../../../anotherfile.php` This means that traversal is off? – jyz Oct 22 '14 at 15:52
  • It would help to know where your "anotherfile.php" is located. Hence me posting about token1, token2. The key with this is to find out where you are landing. – munkeyoto Oct 22 '14 at 15:57
  • The base is /export/htdocs/yyy.com/base/. The anotherfile.php is in /export/htdocs/xxx.com/anotherfile.php – jyz Oct 22 '14 at 16:22
  • "His directory traversal is off" - how do you disable directory traversal? – jyz Oct 22 '14 at 16:38
2

You can't read PHP code with an include() or require() because these functions evaluate the PHP code within a file. If you can control the beginning part of the string passed to include() or require() then you can use a php://filter to read php files, but this attack pattern does not apply for this bug.

In order to get a shell with this LFI vulnerability, you need a have a backdoor on the target with a .php extension. Ideally this would be done using another vulnerability like file upload. NULL byte injection doesn't work on modern versions of PHP's fileio functions, so you are stuck with the .php extension.

Another attack pattern is to include existing .php files to expose existing application functionality in an unintended way.

rook
  • 46,916
  • 10
  • 92
  • 181
  • I'm not interested on uploading a file to get a shell because this vulnerability does not allow that. I cannot inject code, just read a PHP file, as you mentioned. – jyz Oct 22 '14 at 15:55
  • @jyzuz you will never be able to read PHP code with an LFI, the whole point of the include() function is to execute the PHP code. If your smart, you can get a shell. – rook Oct 22 '14 at 15:59
  • @jyzuz if one flaw doesn't give you everything, then you need to find another vulnerability that gives you what you need. We call these exploit chains. – rook Oct 22 '14 at 16:05
  • I know I can't "read" a PHP file. It would exe the PHP code, for me that's enough. – jyz Oct 22 '14 at 16:21
  • If you are controlling the beginning part of the filename, like in this case, you can include PHP code through the LFI vulnerability, and then with HTTP Content-Disposition header to download the PHP scripts you want... – programings Oct 22 '14 at 16:48
  • @programings That is cool exploit technique for leveraging LFI, but it doesn't apply to this bug. Sad day. – rook Oct 22 '14 at 16:49
  • 1
    @programings Thanks to poin that out. But if you carefuly look at the example you control just part of the name. It starts with "content-" + cookie value (user-controlled) + ".php". So you have to somehow escape the filename to access arbitrary files... – jyz Oct 22 '14 at 16:55
1

It works perfectly fine for me with eng.php/../../../anotherfile (I'm using PHP 5.5.6-1).

  • Are you sure that anotherfile.php is in the correct directory? Try placing it in the same directory as the lang php files and include it there (just for testing).
  • is it readable by the web server? (for testing, you can just chmod 777 file.php).

Also note that while including PHP files should work, including other files (eg by using null byte) does not work in newer versions of PHP.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Yeah, well, problem is that the transversal is not working, even on terminal. Maybe that's the problem? – jyz Oct 22 '14 at 16:30
  • @jyzuz so even when you are logged in via ssh you cannot for example do this: `cat /var/log/../../etc/passwd`? That could be a problem, yes. – tim Oct 22 '14 at 16:36
  • In fact the example would be: `cat /etc/issue/../passwd` I think that's never possible, what do ou think? – jyz Oct 22 '14 at 16:39
  • @jyzuz you are right, `cat /etc/nonexisting/../passwd` does not work in bash. `lang=nonexisting/../../echo` on the other hand works (at least for me, with your example code and`echo.php` being in the same directory as the file containing that code). – tim Oct 22 '14 at 16:49
  • Well that didn't work out for me. It doesn't matter if it exists or not, same directory or not. It simply doesn't allow me to point to a file and them transverse it... – jyz Oct 22 '14 at 16:58