Remote File Inclusion and Countermeasures

Document Sample
Remote File Inclusion and Countermeasures Powered By Docstoc
					                                                        (IJCSIS) International Journal of Computer Science and Information Security,
                                                        Vol. 10, No. 4, April 2012

                                       A.Sankara Narayanan1, M.Mohamed Ashik2
                                             Department of Information Technology
                                                Salalah College of Technology
                                                      Sultanate of Oman

Abstract- This paper describes the mechanics of a RFI attack           In this section, we will show how a web page is built-up in
by doing a code analysis and an attack walk through                    general. A normal website consists of HTML. The HTML
vulnerable application. The title itself already explains a bit        consists of a HEAD section and a BODY section.
about it.  This paper discusses the clear view of remote file
include attacks, specifically those exploiting weaknesses in
PHP web applications as the scripting language has allowed
a large number of vulnerabilities to be created. We will cover         LOGO
the mechanics of RFI attacks before detailing the perspective
of both analysts and attackers. This RFI paper focuses on
web application vulnerabilities and prevent your site from             NAVIGATION
being compromised via a file include attack.

Keywords: Remote File Inclusion,           Web    Application
Vulnerability, Website Hacking

                    I.INTRODUCTION                                                   MAIN CONTENT

With the constant growth of the Internet, more and more
web applications are being deployed. They significantly
increase the exposed surface area by which a system can
be exploited. One of the main techniques for dealing with
thousands of security events a day and to distinguish what
indications and warnings need to be escalated for incident             NAVIGATION OR COPYRIGHT
handling is to recognize patterns. Security group of traffic
into categories such as malware outbreaks, authorized                           (Normal looking website layout)
penetration testing, brute force attacks, misconfigurations,           The image above is one of the most common website
and port scans. One such category is remote file include               layouts ever.
(RFI) attacks. Given their pervasiveness, RFI attacks are              Code:
hard to miss. RFI attacks are not new or unpopular. The
Milw0rm exploit archive (Milw0rm, 2009) contains                       <html>
around 580 different exploits that have "RFI" or "Remote               <head>
File Include" in their title. RFI stands for Remote File               <title>A Common Website Layout</title>
Inclusion. As clear from the name, Remote File Inclusion               </head>
means 'including a remote file'. RFI is a type of web
                                                                       <div align="center" class="logo-area"></div>
application security vulnerability. RFI is a common
                                                                       <div align="center" class="navigation-area">
vulnerability. But most of the website, hacking is not
                                                                       <a href="index.php?page=home">Home</a>
exactly about SQL injection. Using RFI, we can literally
                                                                       <a href="index.php?page=page1">Page1</a>
deface the websites, get access to the server and do almost
                                                                       <a href="index.php?page=page2">Page2</a>
anything. An exploit is a sequence of commands or
operations that can be executed  when vulnerability is
                                                                       <div align="center" class="main-content-area">
found, with the aim of gaining an unauthorized access to a
                                                                       Content Content Content
target machine. What makes it more dangerous is that we
only need to have our common sense and basic knowledge
of PHP to execute. PHP is a web script engine. In this
paper, we will show you RFI on PHP pages.
                                                                       This is one of an endless amount of ways we could build
                II.WEBSITE STRUCTURE                                   this website layout with HTML. It will have a logo,
                                                                       navigation and main content area. The navigation will
                                                                       have three links (Home, Page1 and Page2). But none of
                                                                       the links will do anything other than sending you to the
                                                                       same page over and over again without changing the

                                                                                                   ISSN 1947-5500
                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                       Vol. 10, No. 4, April 2012

content. This type of page is referred to as a Static HTML            Code:
page. The HTML of any page can be viewed by right
clicking the page in your browser and then go to 'view                <a href="index.php?page=1">Page 1</a>
source' or something similar. It is not true for viewing              <a href="index.php?page=2">Page 2</a>
PHP code in web pages. The only way to view the PHP                   <a href="index.php?page=3">Page 3</a>
code of a page is that we can read the file itself, not from           
the browser. Commonly, RFI attacks are possible, because
of a PHP configuration flag called register_globals. It’s             When the user clicks the first link, its going to show the
automatically defines variables in the script that are sent to        content of 1.php, when the user clicks the second link its
the webpage with method GET. Typically PHP URL                        going to show the contents of 2.php and when the user
looks like: this is an               clicks the last link its going to show the contents of 3.php,
example only, there is no such sites. Now, we can rewrite             look at the index.php script now the coding is to create
the page above with PHP code in it, to make different                 security holes.
content for each of the links (Home, Page1 and Page2).                Code:
                                                                      if (isset($_GET['page']))
<html>                                                                {
<head>                                                                // The GET argument is present. Lets include the page.
<title>A Common Website Layout</title>                                include($_GET['page'] . ".php");
</head>                                                               }
<body>                                                                else
<div align="center" class="logo-area"></div>                          {
<div align="center" class="navigation-area">                          // The GET argument is not present. Lets give the poor
<a href="index.php?page=home">Home</a>                                guy some links!
<a href="index.php?page=page1">Page1</a>                              echo('<p><a href="index.php?page=1">Page
<a href="index.php?page=page2">Page2</a>                              1</a></p>');
</div>                                                                echo('<p><a href="index.php?page=2">Page
<div align="center" class="main-content-area">                        2</a></p>');
<?php                                                                 echo('<p><a href="index.php?page=3">Page
The PHP code will look at GET method or arguments                      
with the name “page” are present in the URL. It will look
further for the argument's value. If the value is "home", it          Now, click the Page 1 link, it will show
will write out "home" to the HTML source. If the                      ( The PHP script in
argument's value is "page1" it will write home "page1" to             index.php will now see that the user is requesting the page
the HTML source and so on. However if the argument is                 called 1 and it will include the number in the URL GET
not present in the URL, it will show “index.php”. So the              argument + ".php" the same goes for 2 and 3. It will
script will give the equivalent value of the “home” page.             include “1.php” for Page 1, “2.php” for Page 2 and
Navigation link                                                       “3.php” for Page 3. The above script is a death trap. Like
         Home goes to                                                 (, it will try to                            include “4.php”, but that file obviously does not exist. So,
         Page1 goes to                                                the page will return an error message as below:
         Page2 goes to                  Warning: include (4.php) [function. include ]: failed to
         and so on.                                                   open stream : No such file or directory in PATH online 3
                                                                      Warning: include () [function. include ]: Failed opening
                                                                      '4.php' for inclusion (include _path='.;PATH') in
                                                                      PATH\\index .php online 3
               III. UNDERSTANDING RFI                                  
Include () function is not vulnerable to anything. It’s
                                                                      It’s important to note that, not all web servers will show
wrong and dangerous use of it that causes the security
                                                                      error messages when there is an error. We will try the web
issues. Include () function is not limited to reading local
                                                                      link                                                below:
files. It can even read remote files from URL's. So we can
                                                                      “index.php?page=” (this
do include ("") and it would
                                                                      is an example only, there is no such sites). The PHP script
include the contents of “page.txt”. This is what creates
                                                                      would         try        to         include       whatever
RFI scenarios. Let’s create a new scenario index.php,
                                                                      “” contains. And if
1.php, 2.php, and 3.php. “index.php” is the file that the
                                                                      hackercode.php contains more PHP code, it would also
users will visit with the browser. When the user first visits
                                                                      get executed. It means that we can run any PHP command
“index.php”, then we are going to display 3 links.

                                                                                                  ISSN 1947-5500
                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                         Vol. 10, No. 4, April 2012

or function on the server. This is extremely dangerous.                 Inclusion or not. The hackers use the following command
Now we will show .txt index.php?page=http://                                Now         and         not                 let’s assume that we have found a vulnerable website. The
hackerscript.txt.php because the ? Sign makes .php and                  PHP script is made in such a way that we only need to
GET argument.                                                           edit.          to
         IV.FINDING RFI VULNERABILITIES                                 ackerscript.txt and we can now execute our PHP code
                                                                        over at the victim’s server. Now, we will try to make
In a web application, one way data is passed to a script is             something called a shell. A shell is essentially just a PHP
by sending a parameter name and value in the URL. This                  script that can perform explorer like actions. Like read,
parameter and the data it contains is associated and                    write, edit, create files and navigate in folders etc. Some
accessed via a variable inside the script. PHP like other               shells even got in-built exploits to gain root access on the
languages has an include directives that allows us to                   server. Most of the shells are detected by antivirus. So, if
include and execute code from another file. In PHP,                     the server we are trying to access got an antivirus, will not
variables do not have to be initialized before they are                 work and might perhaps spoil the attack. There are many
used. PHP assigns uninitialized parameters to variables of              shells available. Let’s consider a shell known as c99 shell.
the same name. We will check the basic vulnerabilities                  Now sign up for account on free web hosting site, say
with the manipulation of GET arguments and look for            (this is an example only, there is no such
error message. It is like the one above. However as we                  sites) then sign into our account, go to File Manager,
said, it’s not always we will get an error message.                     upload some files and then upload c99 shell here. Now
Sometimes, the script might even redirect to the home                   just log out and visit the URL of shell that we have
page or something when it detects an error. Here are a few              uploaded.
examples of GET arguments manipulation:                                 And we would find that we can manage all the directories
Normal URL → Manipulated or error creating URL                          and files without logging in our account, which is without
                                                                        entering our password anywhere. The hacker will execute →                                  the command on               the   website as follows.                 →                   (Don’t forget                            the ? at the end). Now, we have executed the shell and full →                            administrator access to the website.
                                                                                        VI. COUNTERMEASURES

                                                                              1) Don't EVER have user inputs in include () calls.
Use our view and imagination. The arguments do not need
                                                                                   Do as if/elseif/else or switch/case statement
to be "id" or "page" or "site". It can be anything. If we are
not getting any error or just a blank page or website
                                                                        Using if/elseif/else statement(s)
redirected. If the server is set up to not display error
messages and there is vulnerability, then your remote code
will still work even though you didn't get any error                    <?php
messages indicating that there is vulnerability there. Some             if (isset($_GET['page']))
code designers think that if they check the GET arguments               {
and see if it contains "http://" or "www." and not include              if ($_GET['page']=="home")
the files if they do, they will be secure. However, it can be           {
in many cases bypassed by writing HTTP:// or HtTp:// or                 include("home.php");
WWW. or WwW or wWw etc. If it is not, the include()                     }
function will fail trying to include remote content. The                elseif ($_GET['page']=="page1")
other functions like require(), require_once() and                      {
include_once().                                                         include("page1.php");
        V.EXPLOITING RFI VULNERABILITES                                 else
Let’s get it started. The first step is to find vulnerable site,        include("home.php");
we can easily find them using Google Dorks. If we don't                 }
have any idea, we might want to read about advanced                     }
password hacking using Google dorks or to use automated                  
tool to apply Google dorks using Google. Some dork for                   
searching a RFI Vulnerability Website
“inurl:index.php?page=” Its Most Popular Dork of RFI                       2) Using switch/case (slightly more efficient than if
hacking. This will show all the pages which has                               statements in terms of lines of code)
“index.php?page=” in their URL. Now we have to to test                  Code:
whether the website is vulnerable to Remote File

                                                                                                    ISSN 1947-5500
                                                   (IJCSIS) International Journal of Computer Science and Information Security,
                                                   Vol. 10, No. 4, April 2012

                                                                        5) To protect ourselves from RFI attacks, simply
                                                                           make sure that we are using up-to-date scripts,
<?php                                                                      and make sure that the server php.ini file has
if (isset($_GET['page']))                                                  register_global,      allow_url_fopen      and
{                                                                          allow_url_include disabled.
{                                                                       6) Strongly validate the user’s input.
case "home":
include("home.php");                                                    7) The most common protection mechanism against
case "page1":                                                              RFI attacks is based on signatures for known
include("page1.php");                                                      vulnerabilities in the Web Application Firewall
default:                                                                   (WAF). Detection and blocking of such attacks
include("home.php");                                                       can be enhanced by creating a blacklist of attack
}                                                                          sources and a black-list of URLs of remotely
}                                                                          included malicious scripts.


       3) Don't EVER do as below:                                 Remote File inclusion is a real threat in the wild today.
    Code:                                                         This exploits are very simple and are only found in about
                                                                  1 in every 10 sites. This paper is discussed on Remote File
                                                                  Inclusion (RFI) URL based type of hacking. We have seen
<?php                                                             what and how the remote file includes attacks. We have
if (isset($_GET['page']))                                         looked at them from both a defensive and offensive
{                                                                 perspective. This paper is meant only for educational
}                                                                 purpose. So, please use this for knowledge only.
{include("home.php");}                                                                    VIII.REFERENCES

   4) There is yet another way to prevent RFI, which is                 for.html
      basically trimming the string to some special
      characters, like http:, //, /,                              [3]
function check_url($page){                                        [5]
$page = str_replace("http://", "", $page);
$page = str_replace("/", "", $page);                              [6]
$page = str_replace("\\", "", $page);                                   exploit.html
$page = str_replace("../", "", $page);                            [7]
$page = str_replace(".", "", $page);                                    hack-website.html
$page = str_replace("php", "", $page);
return $page;                                                     [8]
}                                                                 [9]
echo "<title>Index</title>";wser PRO
if($_GET){                                                        [10]

                                                                                                    ISSN 1947-5500

Shared By: