[ Back ]
Wednesday, August 29, 2007, 17:24
Scanning internal Lan with PHP remote file opening.
Even if some website is still vulnerable to remote file inclusion (RFI), this is becoming a quite rare scenery.
Nonetheless, much more often it happens that some of the php functions allowing http or ftp protocol wrappers are exposed to user control.
A perfect example for this tecnique is a fully controlled getsizeimage() function with allow_url_fopen.
No RFI, no data returned, it could be just used for DoS.
Obviously there's no RFI, and until yesterday probably nobody would care about check,inspect or exploit it. This article explains that some kind of attack could still be accomplished:
Lan scanning and Drive by Pharming with error matching or time analisys.
If the php error display is set to On, a simple request like:
Warning: getimagesize(http://127.0.0.1:22/check): failed to open stream:
Connection refused in...
This means it's a closed port.
Indeed, an open port will be displayed as:
Warning: getimagesize(http://127.0.0.1:22): failed to open stream:
HTTP request failed!...
ftp :// protocol could obviously be used, too.
If there's no error on output, timing attacks could be accomplished too.
Infact we could get timing result if a port is closed:
Or if a port is opened :
So, what can be done?
If the right conditions are satisfied:
1. Drive By Pharming
2. Bruteforcing routers.
3. Full Lan Scan.
Last, Ascii wrote a nice php script for Lan Scan.
You can find it here...
Ah... did I mentioned that php remote file supports HTTP Basic Authentication? :)
As usual, the next move is up to you
No comments yet.
Comments are disabled
Admin login | This weblog is from www.mylittlehomepage.net
Wisec is brought to you by...
Wisec is written and mantained by
Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.