2

Recently my server got hacked and files were uploaded. Right now I'm trying to locate the weak spots, which brought me to php injection. I use the following code to include files:

if (isset($_GET['page'])) {

$page = $_GET['page'];

include("./php/$page.php");
}

I've tried something like:

http://badsite.com/badcode.php
example.php");include(...BADCODE HERE...);//

"allow_url_fopen=0" is disabled in the server configuration. I think a white list and/or php functions (htmlentities, strip...) to filter special charecters and code by default would make it bulletproof. But still I'm wondering if it is possible to inject bad code anyway as the value of $page is treated as a string?

Is there anything a "user" could enter, that will not end up in php warning "...failed to open stream: No such file or directory..."?

Improve this question
4
  • 1
    Not saying it's your problem, but I've seen that people using plain FTP will often get hacked. If you were using plain FTP, simply using encrypted FTP, SFTP, etc would be a great start to keeping your sites safe. I learned this lesson the hard way, when I was on the same network with a computer that had malware. It was actually my mom's computer. It was sniffing network traffic and sending my FTP credentials to China. Commented Sep 30, 2018 at 22:22
  • That's not how PHP works; it isn't rewriting the code with the values it's provided, unless you're using something like eval(). It just interprets the value and puts it into a variable. Your only real risk lies with traversal attacks that might try putting ../ into the path to try and include a file that shouldn't be included. Commented Sep 30, 2018 at 22:40
  • inculde can you fix that typo please? unless it isn't one? Commented Sep 30, 2018 at 22:41
  • 1
    Thx for your answers. I use encrypted FTP, but I was thinking about similar ways, hackers might have gained control... I know about eval() function, preg_replace() and others, this was really only about include, but jh1711 gave me a good hint about null byte injection. @Funk Forty Niner: Typo fixed- thx! :) Commented Oct 7, 2018 at 20:24

1 Answer 1

Reset to default
4

Your code is vulnerable to local file inclusion (LFI). A potential attacker can traverse your file system and include something like:

page=../../uploads/images/1.jpg

The example shows one of the potential exploits for LFI. If you allow image uploads, somebody can upload an image that includes PHP code, and that code will be executed. Other exploits hide PHP code in session files or log files; and include the file through the vulnerability.

In itself the problem is not a big issue, but it can become one when combined with something else. Therefore I would whitelist what pages I allow for $_GET['page'].

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

OP is appending .php to the variable, which will mitigate things somewhat.
You're right. I totally missed that. The attack scenarios should still be real, but I need to check what PHP versions still allow null byte poisoning to bypass the hardcoded extension. I'll update the answer tomorrow.
Damn! I got a complete new account from my provider, so I can't tell which PHP version was running. From what I found out "Null byte injection has been fixed in PHP 5.3.4"... Probably I had an older version running. THX so far for the hint!!!
Damn me too. I forgot that I wanted to get back to this question. Mea culpa. It seems null bytes have been fixed for ages; that should be a thing of the not to recent past. But as far as I can tell path truncation (add a bunch of meaningless ././ (around 4kB), and the extension will be cut of) is still an issue. At least that's what a few quick tests shoe. It may not show in your setup, if your config limits $_GET strings to a length shorter than that.
Took me a while.... But many thanks for your last reply as well. I got into this a little deeper, hoping I could fix the issues on my site :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.