2

Lets say example.com has a front end with this HTML:

<form action='this.php' method='post'>
<input type='hidden' value='test' name='post'>
<input type='submit' value='Test'>
</form>

and this.php included something along the lines of:

if (isset($_POST['post'])) {
include 'test_' . $_POST['post'] . ".php";
}

With the above setup, how would someone execute a malicious include, or attempt any sort of directory traversal, if the string 'test_' was attached to the beginning of it?

if they entered /../../, include would read it as 'test_/../../', and fail, if they used a url, include would get 'test_http://evil.com/badcode.php' and fail again.

How would someone get around the proceeding string to execute remote includes, or change its directory?

Sidenote: I do know how to sterilize strings, and other security steps to completely avoid this. This is simply out of curiosity, and from what I know now, I don't think it would be possible.

Improve this question

3 Answers 3

Reset to default
2

This is not really a good practice and always remember , Never trust user input !

Keeping that in mind, you should never pass a user-input to an include language construct.

From your code, it is somewhat clear that directory traversals leads to 404. However, there maybe some smart wicked geeks out there to bypass and perform a RFI attack.

So a better advice is.. Don't send user input directly to an include() construct.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, but I'm actually looking for a specific method for doing so. I thought of this today, and I have yet to find a way to get out of its current directory,
You may get a detailed response on security.stackexchange.com as a lot of security enthusiasts will be active there.
0

File streams are typically abused in one of two ways. LFI, and RFI (Local file inclusion / Remote file inclusion respectively) or generally MFI (Malicious file inclusion). Often it's used to pipe local files such as /etc/passwd or log files.

RFI is much more dangerous, this is a possiblity if allow_url_fopen is on This allows a hacker to include a remote file into your environment. In the above example, it is combined with null byte injection in order to disregard the concatenation.

There is many methods of manipulating the string to do various things, for example including php://input or php://filter

Improve this answer

1 Comment

Heya, thanks for the answer, but I'm actually looking for how someone would exploit this specific code, and be able to remote include this, or at least, change the includes directory.
0

if they entered /../../, include would read it as 'test_/../../', and fail […]

This is actually only true for Unix-based systems but works on Windows as it does the path resolution only on the given path and not on the actual file system structure. Windows doesn’t care whether one of the unresolved path segments exists as long as the resolved path exists.

Furthermore, up to certain PHP versions, not all file system functions where binary-safe and a null byte could end the string and remaining bytes were omitted.

So concluding, depending on the operating system and the PHP version, your script may be exploited to include arbitrary files using the following pattern:

post=/../../../../windows/win.ini%00
Improve this answer

1 Comment

The NTFS alternate data streams may also be used to exploit this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.