File Path Truncation for file inclusion

The following is a network summary:
1.
I thought I had dug a gold mine. After talking with heige, I found that it could only be used on the Win32 platform, reducing the power of this BUG, basically not causing much harm, this is because there are too few PHP applications on the WIN32 platform.

Include $ _ GET [file]. ". php ";

In the past, we used % 00 to truncate it. The current PHP version has basically expired. The idea of mining is to trigger a vulnerability by combining conditions in multiple environments as described by Heike. The operating system has a limit on the length of the file name. If our $ _ GET [file] exceeds this limit, the PHP code will be followed

. ". Php" will expire. Here the truncation principle should be different from that of % 00.

Usage: index. php? Filedesksome.txt /////////////////////.... [More than a certain number/]

I do not know how to use it on LINUX.
Http://cloie.it580.com /? P = 51

2.
By Ryat
Http://www.wolvez.org
2007-12-17

When local inclusion is used, % 00 is often used to truncate the subsequent string, but % 00 is escaped when GPC is ON. Is there any other method?

In fact, before someone mentioned with a certain number of/break through the operating system on the file name length limit to cut off the following string, see: http://cloie.it580.com /? P = 51

It is mentioned in this article that it can only be used in windows. In fact, it can be used in some Linux Hosts, but the number of "/" is more [to make the file path name length more than 4096 bytes]. take a look at the following code snippet:

<? Php
$ A =;
For ($ I = 0; $ I <= 4071; $ I ++ ){
$ A. = /;
}
$ A = test.txt. $ a; // The complete path is/var/www/test/test.txt.
Require_once ($ a.. php );
?>
Test in linuxenvironment, you will find that. php is intercepted, and the success includes test.txt :)