File Inclusion and Arbitrary Code Execution: An aeroplane ticket website built on WordPress was hacked earlier this month, leaving hundreds of thousands of visitors’ personal data exposed. In an earlier article on why hackers hack, we discussed all the reasons why hackers hack, including theft of information, sending spam emails, could even use black hat SEO methods to rank their own products (recommended reading-pharma hack), etc.

Learning how hackers hack a website is a key to preventing them, which is why in an earlier article we listed the most common hacking attacks on WordPress websites.

You are very likely to think about brute force attacks when we speak of common hack attacks. But did you know that the inclusion of files and the execution of arbitrary code is also one of the most common hack attacks on WordPress websites? In this post, with a view to understanding them in detail, we’ll go a little deeper into these attacks.

The first thing you have to know is that it involves PHP files to understand how these attacks work. You must have wondered why? This is because PHP files are used in both File Inclusion and Arbitrary Code Execution attacks.

What is a PHP file, though? Think of a cabinet for kitchens. There are a number of items inside the cabinet, like sugar, salt, spices, utensils, etc. In the kitchen, each of these products has a purpose to serve. A PHP file is a cabinet and the codes inside the files are the items that allow the hacker to perform certain functions he wants. This is why hackers prefer to upload a PHP file over any other file, such as JPEG or PDF. JPEG and PDF files are not executable, so hackers are unable to perform any function with these files. Just one can interpret (that is, view) them. It is not possible to use them to make any improvements to a compromised site.

A hacker who uploads a PHP file to your server on your website can use it to do anything on your website. And this is why PHP files are used to perform attacks of File Inclusion and Arbitrary Code Execution.

What is a File Inclusion Attack?

Exemplifying a real scenario is the best way to understand a complex website attack like this. Let’s say you run your institution’s website and the site is called college.com. You allow the site to be accessed by a few students so that they can post images taken during a recent college event. Someone misuses your access to the website and uploads a malicious PHP file called hack.php). The goal is to gain control of the websites for the college. When the student uploads the malicious PHP file, by default it is stored in the Upload folder. Anyone who knows WordPress’s basic structure knows where an uploaded file goes.

wordpress-file-inclusion-attack

The file acts like a door that allows the hacker to interact remotely with the file. Remember that the hacker also has no power of the site, only a contact window. To make it easier to understand, imagine that person A wants to go to a nation where he is not permitted. And then he’s sending an agent, individual B. Person A is the hacker, the country stands for the website of the college, and the hack.php file is person B.

Uploaded PHP files on the college website—> The file is stored on the website server

Person B is only qualified to do a few things and only so many can be achieved. So person A has to show him what to do next. In the same vein, a communication window is created by the PHP file and then awaits more hacker commands.

Let’s assume that hack.php is generated in a way that allows more files to be uploaded to the website. The hacker creates a file named control.php) that he uses hack.php to upload, which is already present on the server of the website. The new file-control.php will allow the hacker to access the website in full. The control.php file is uploaded to the site using the window provided by the hack.php file. This process of using a file (hack.php) to upload the control.php file that is already present on the website server is called Local File Inclusion.

The vulnerability found in the Easy Forms for MailChimp WordPress plugin is a great example of Local File Execution (v 6.0.5.5). Website owners can connect multiple types of forms to their WordPress platform by using the MailChimp plugin. A loophole allowed hackers to use the MailChimp form to insert a PHP file into a website server. Hackers have been able to communicate with them once the file is stored on the website server and execute codes that will allow them to control the server or damage the site in numerous ways.

Here’s a scenario: There is a firewall built on the college website, so the hacker will not upload control.php. He can include a file while he can’t upload another separate file. It implies that he can insert a file that is already present on the college website server within the hack.php file. The website server would read the file and execute the code inside if the hacker could upload the control.php file, allowing the hacker to do whatever he wants. But because he can’t upload the file, he’s going to have to find other ways to make the control.php file read by the server. A route created by a hacker is accessible online and should be able to be read by the college website server. The hacker thereby creates a route and makes it visible publicly so that it can be read by the college website computer. The server then begins to run the code received from the path, and as the code is written in a manner that enables the hacker to manipulate the website entirely, the hack now controls the website of the college. Remote File Inclusion is the name of this method of making the server read a remote file.
tim-thumb-vulnerability-1024x455

The TimThumb vulnerability case is a popular example of Remote File Inclusion. TimThumb was a WordPress plugin that allowed easy editing of images on a WordPress site. It enabled anyone to use images procured from image sharing websites like imgur.com and flickr.com. TimThumb recognises imgur as a valid site (or whitelisted) (or whitelisted). Hackers taking advantage of this criteria creates files with URLs mentioning a valid site like http:/www.imgur.com.badsite.com. When they upload a malicious file with a URL like the one we mentioned above the plugin is fooled into believing the file comes from a valid website. And it allows uploading a malicious file to the website’s server. This whole process of including a malicious file from outside the website server by taking advantage of a vulnerability in a plugin is Remote File Inclusion. After the malicious PHP file is stored in the website server, the hackers can communicate with it to execute their desired actions.

What is an Arbitrary Code Execution Attack?

Now that we know what remote and Local File Inclusion is, let’s move on and try and understand what Arbitrary Code Execution is. File Inclusion and arbitrary code inclusion are interrelated to each other. In any case of File Inclusion, the hackers aim is to execute an arbitrary code on the website. Let’s go back to the example of Local File Inclusion where the hacker has uploaded a hack.php in the college website and then uploaded control.php with the help of hack.php. The phrase Arbitrary Code Execution is a description of a hacker’s ability to execute any command of his choice on a hacked website. The hacker can run whatever code that he wants until the PHP files (hack.php and control.php) are up on the website server. This method is called Random Code Execution to run any code from the files he has imported.

Hacks are intricate. We tried to describe it as straightforward in this article, but if there is a section that makes no sense to you, we encourage our readers to write to us. In the next post, on a WordPress forum called Cross-Site Scripting, we address another popular hack attack (XSS). Take a peek.