THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
Wisec Home SecSearch Projects Papers Security Thoughts
News Search on Wisec

Security Thoughts

[ Back ]

Wednesday, August 29, 2007, 17:24

Scanning internal Lan with PHP remote file opening.

Even if some website is still vulnerable to remote file inclusion (RFI), this is becoming a quite rare scenery.
Nonetheless, much more often it happens that some of the php functions allowing http or ftp protocol wrappers are exposed to user control.
A perfect example for this tecnique is a fully controlled getsizeimage() function with allow_url_fopen.
No RFI, no data returned, it could be just used for DoS.


Obviously there's no RFI, and until yesterday probably nobody would care about check,inspect or exploit it. This article explains that some kind of attack could still be accomplished:

Lan scanning and Drive by Pharming with error matching or time analisys.

If the php error display is set to On, a simple request like:

will display:

Warning: getimagesize( failed to open stream:
Connection refused in...

This means it's a closed port.

Indeed, an open port will be displayed as:

Warning: getimagesize( failed to open stream:
HTTP request failed!...

ftp :// protocol could obviously be used, too.

If there's no error on output, timing attacks could be accomplished too.

Infact we could get timing result if a port is closed:

real 0m0.057s
user 0m0.032s
sys 0m0.020s

Or if a port is opened :

real 0m5.095s
user 0m0.032s
sys 0m0.020s

So, what can be done?

If the right conditions are satisfied:
1. Drive By Pharming
2. Bruteforcing routers.
3. Full Lan Scan.

Last, Ascii wrote a nice php script for Lan Scan.
You can find it here...

Ah... did I mentioned that php remote file supports HTTP Basic Authentication? :)

As usual, the next move is up to you


No comments yet.

Comments are disabled

Admin login | This weblog is from

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.