Php include path Truncation Vulnerability

Source: Internet
Author: User

The include structure of php can be used to include and run specified files. However, the file path is truncated in some cases. For example, the path contains characters with an ascii value of 0. First, the Demo code is as follows:

<? Php
$ S = $ _ GET ['s '];
$ Path = "demo/$ s /";
Include ($ path. "style.css ");
?>

This is an ordinary example code. The user-input example code contains the style.css file (O (character _ character) O in the example code under the demo directory. No matter what practical use it is ).

When we see this code, we first think that $ s can be forged at will, but no matter how we forge it, it seems that there is little value to use, because

Include ("demo/../upload/1.jpg/ style.css") or

Include ("demo/../upload/1, jpg? /Style.css ") and so on. If they do not comply with the include path, an exception is thrown.

But in fact, because the include path can be truncated, the following method is available:

Include ("demo/../upload/1.jpg". chr (0)."/style.css ")

The chr (0) will be truncated. The above sentence is equivalent to include ("upload/1.jpg"). The vulnerability exists ^ _ ^. Next, is how to make $ s the value we want (assuming that the Demo code at the beginning is saved in test. in php)

Http://www.bkjia.com/test. php? S = ../upload/1.jpg% 00

The following % 00 is what we want, so the path will be truncated.

Author: Sea Thorn Bird address: http://www.classover.com.cn /? P = 3092

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.