File Inclusions with SQL.

Last time I posted something technical was about SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?

Those who develop Content Management Systems (Joomla!, WordPress, Drupal or something custom) break up their code into multiple files. Why is that? Short answer is not so many lines of code, no spaggheti coding, small size of files . I’ve seen PHP files with size of up to 1.5 Mb and they were not php shells, also index pages with size of 3.5~4 Mb.  Non-dipshit programmers try to break up files and it is common to include their code into other files. This is possible with a code like this in PHP

<?php
//option one
include('afile.php');

//option two
include_once('afile.php');

//option three

require('afile.php');

//option four

require_once('afile.php');

?>

Something like this is a nice programming habit and secure too. In a real world situation index.php would contain the following code

<?php
include_once('theheaderofthesite.php');
//some code
//html

include_once('thefooterofthesite.php');

?>

If someone loads index.php he will see a dynamic page being created. Why is that? Header includes the required connection to the database, the menu and whatever else is need. Footer contains the html of the footer.  The script of index.php is already connected to the database, quering for updated stuff etc.

Ok, so far so good. Let’s say there is a situation where the pages to be included are defined by the user either by using GET or POST method. This time the PHP code will be something like

<?php

if(isset($_GET['page']))
{
$theFile=$_GET['page'];

include($theFile.'.php');
}
else
{
//do something else
}

?>

Fine. This code is inside the loadPage.php file. The parameter is passed via url (GET method), the url for loading index would be something like

http://lfi/loadPage.php?page=index



Notes, this is a known google dork. You can search in google and find some using the “inurl:index.php?p=” without the quotes. Change p= with page= or file= or whatever you feel like.  Remember, Google is your best friend and one of the best guys for info gathering and passive recon(which is a useful Firefox add-on too).

The following example is prone. Reason? Excessive trust to user input, not filtering and things like that. That doesn’t sound good.

Local File Inclusion

When you setup a system, there is some data that has to be remembered somewhere. This data can be configuration files, users, passwords, binary files, other sensitive data. For some reason, someone, in this example us, wants to look at those files but he isn’t authorized to do so. If he finds a way to get his hands on this files, first of all we have a security breach of the system since the data may have lost its integrity (change data) but surely lost its confidentiality since someone not authorized knows sensitive data such as the users etc. This exploitation technique is called Local File Inclusion.

The main problem of Local File Inclusion is that it may leak too much information AND even if the attacker doesn’t know the structure of the system, passwords or users are stored in known places and if passwords are hashed they are hashed using a known algorithm thus it is essential to know the target OS. I’ll be describing some Unix-Based folders that store sensitive information and give some examples too.

 

/etc/passwd
/etc/shadow
/etc/proc

The first folder usually contains users (usernames) and some procedures. An example of a /etc/passwd of a box is the following

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

There is a user named root (obviously), he has his password encrypted (x), his user id is 0 (always assigned to root, 0-1000 are usually reserved so the next user is 1001 :P) , the next field is about xtra info about the user, usually there’s nothing for root here, the home directory (in this case /root and finally the absolute path of a command or shell. No login is a polite way of saying “Login denied” 😛

Another Local file inclusion this time  with the Apache Server Config.
Note, although this is a rare case, there are cases that you need this file if you want to keep going.

# # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See for detailed information. # In particular, see # # for a discussion of each configuration directive. # # # Do NOT simply read the instructions in here without understanding # what they do. They’re here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operatio

Ok, this part contains nothing valuable because is half the file, just like /etc/passwd. Remember that x the root had inside /etc/passwd? I stated before that the X informs us that this user has a password which is encrypted and stored usually in /etc/shadow. In simple words, /etc/shadow contains passwords 😛

The /etc/proc is the most awesome in my opinion. It isn’t that just allows Local File Inclusion, it allows

Remote File Inclusion too, but we’ll come back to that in a while.

How do I exploit a Local File Inclusion Vulnerability?

The simple answer is by using “../” without the quotes. Remember, in Unix-based OSs the command

cd ../

gets you one directory back. If you are in /var/www and hit that command you’ll get in /var.
By that we are getting back, I won’t say how many ../ because it is heavily dependent on where the folder you are in is located.
An example is

http://pr0ne/index.php?page=../../../../../../../../../../etc/proc

Some hints. Some people do take countermeasures against LFI usually by replacing the ../ with a blank or nothing. This can be easily bypassed if you URL encode the ../ . Some useful tools are available online, the most useful for firefox users is, in my opinion, Hackbar for such situations, also XSS, base64 encode/decode, hex encode/decode, SQL statements, columns, some dehashers. Get your hands on it if you haven’t done yet.

 

From SQL Injection to Local File Inclusion

What we described above was LFI using PHP. Is it possible from a prone to SQLi parameter to include a file? At least in MySQL, and I guess in other SQL languages, it is. How’s that?

MySQL has a command for loading files, the command is

LOAD_FILE('pathtofile')

MySQL will load whatever is inside the single quotes. There are two things to notice here. MySQL will load a file if the current MySQL user is allowed to. Superusers are allowed to load many files 😛 Usually we want the FILE privilege.

What happens if  PHP is adding slashes to the quotes? Is it possible to load a file via MySQL? Well, it is.

The url we enter looks like

http://pr0ne/index.php? id=1+and+1=0+union+all+select+1,load_file('/etc/shadow'),3--

We get an error and we see that the script is adding slashes (\) to the quotes (‘) and is destroying our evil query making it look like

http://pr0ne/index.php? id=1+and+1=0+union+all+select+1,load_file(\'/etc/shadow\'),3--


Attacker wants to bypass that protection, right? Just encode it into hexadecimal.
/etc/passwd in hex is

2f6574632f706173737764

Prepend a 0x before the string and you get

0x2f6574632f706173737764

This works as a charm. Another way of doing so is using CHAR() function of MySQL, eg

LOAD_FILE(CHAR())

works fine too.

Note again, you need to check the privileges of this user if he is not root. Privileges can be found in mysql database, user table 😛

Remote File Inclusion

Remote file inclusion happens when the attacker is able to load files from other servers. In this particular case the attacker either loads a shell or creates a php file via MySQL (I’ll talk about that later) that is able to load external files. Again, this is a security breach that may lead to unwanted situations like root privileges. If someone has root privileges, imagine what happens. He is the user who controls everything inside this box. He can do whatever he feels like.

What are PHP shells and how do I use them?
They are PHP files that when loaded allow command execution, privilege escalation etc. If the attacker identifies a RFI hole in a web application, he uploads either a text or a php file in a server he controls and then he asks the vulnerable web app to load this file. The vulnerable app loads this file and executes it in the box it is running on. A known shell is C99. ATTENTION:read the code of the shell, you don’t want a pentest to go wrong and someone else root the box 😛

Again, there is an

http://rfi/loadPage.php?thePage=aPage

like the example before. How does someone identifies Remote File Inclusion? Just insert a url.  If you see the page of the url or an error like http://www.apage.com/index.php.php was not found chances are there is a Remote File Inclusion Vulnerability.

If the script is appending the .php extension we have to kill  it someway. Can we kill it? No, but we can bypass it using the null byte poison. Append to the url a null byte (%00 url encoded). This will make our url look like

http://www.apage.com/index.php%00.php

Our file will be loaded. If the shell’s extension is .php (which is not good) we’ll go with the null byte poison. If the shell’s extension is .txt do not append a thing. If the script appends a .php file then the shell is live and running. If the script is appending nothing we locate the file and append a .php extension.

Remote File Inclusion in php exists mostly because of the include() function. Include doesn’t care if the file is inside or outside of the server. It just loads it.  In my opinion the most secure function is require_once().

RFI via SQLi

Is it possible? Yes. The concept though is a little bit different.  This time the attacker doesn’t load a file, this time he creates a file. Because of this, the attacker wants a simple PHP code, usually one line into a php file. Since the file doesn’t exist he has to create it. The file will be used to load the shell from a remote location.

MySQL has a command called INTO OUTFILE. This command takes the visible argument of the query and creates a file with the visible argument I said before inside.  Note that I said visible argument. What happens if there are two arguments visible when the query executes? just replace one of these with NULL. MySQL will ignore it. Usually the ouput file must be located inside the folder of the vulnerable site,  for two reasons. It will be executed (HTTP daemon is running there and process all files), we know the folder of the site so we can locate our file, not to mention that outside of the file paththe command will not work.
A simple example of this is

?vulnid=1 and 1=0 union all select 1,2,'theStringtobeinserted',4 INTO OUTFILE 'thelocationofthevulnfile'

A wise idea is to hex encode your text and prepend a 0x. This will save all special characters, not to mention that you can write code easily and make sure it works, which is not the case in a browser’s url field.

The code must be something like include() function or equivalent.

What happens if the server is filtering quotes?
We can hex encode the string we want to be into the file.  But we can’t hex encode the output file location which is not good.

Notes again. The first guy to talk about injections was Rain Forest Puppy in phrack. The first guy to describe this was Miki Soft.

Remote File Inclusion via Local File Inclusion

I said before that a remote file inclusion is possible via /etc/proc .

The /etc/proc file contains some information that is not sanitized (since the main idea is that this is not visible to users). One of the things that change is the User-agent string. User-agent string is created by the browser, containing info about the OS, the browser, the browser’s framework and is transferred via the http headers. Since it is possible to modify http-headers and /etc/proc is used by the system we can include a remote file via the wget command ( will do its magic).

A simple, yet effective tool, is tamper data add on for firefox to modify HTTP, HTTPS headers. There are other tools, you can create your own tools too but I guess there’s no need to reinvent the wheel.

Things to avoid

By any means avoid include() php function for user input. No matter how well you filter the input, if someone finds a way to bypass it… YOU ARE SCREWED. This thing just loads stuff no matter where it comes from. Also, do not trust user input. Not every user is a friendly one, remember that.

4 responses to “File Inclusions with SQL.

  1. Great post son. If I only could follow it 😎

  2. Good day! Do you use Twitter? I’d like to follow you if that would be ok.
    I’m definitely enjoying your blog and look forward to new
    posts.

  3. Of course, the point here is that an attacker can append all manner of log entries. They can also inject XSS vectors, and even inject characters to mess with the display of the log entries in a console.

Leave a Reply

Your email address will not be published. Required fields are marked *