Php include path Truncation Vulnerability

The include structure of php can be used to include and run specified files. However, the file path is truncated in some cases. For example, the path contains characters with an ascii value of 0. First, the Demo code is as follows:

<? Php
$ S = $ _ GET ['s '];
$ Path = "demo/$ s /";
Include ($ path. "style.css ");
?>

This is an ordinary example code. The user-input example code contains the style.css file (O (character _ character) O in the example code under the demo directory. No matter what practical use it is ).

When we see this code, we first think that $ s can be forged at will, but no matter how we forge it, it seems that there is little value to use, because

Include ("demo/../upload/1.jpg/ style.css") or

Include ("demo/../upload/1, jpg? /Style.css ") and so on. If they do not comply with the include path, an exception is thrown.

But in fact, because the include path can be truncated, the following method is available:

Include ("demo/../upload/1.jpg". chr (0)."/style.css ")

The chr (0) will be truncated. The above sentence is equivalent to include ("upload/1.jpg"). The vulnerability exists ^ _ ^. Next, is how to make $ s the value we want (assuming that the Demo code at the beginning is saved in test. in php)

Http://www.bkjia.com/test. php? S = ../upload/1.jpg% 00

The following % 00 is what we want, so the path will be truncated.

Author: Sea Thorn Bird address: http://www.classover.com.cn /? P = 3092