Remote File Inclusion (RFI)

[dataspy]

Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example

Code: [Select]

<?php 
$Redirection = array('View','Edit','Delete');

    if(isset($_GET['Action']))
    {
        if(($_GET['Action'] == "View") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("ViewRecord.php");
        }
        elseif(($_GET['Action'] == "Edit") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("EditRecord.php");
        }
        elseif(($_GET['Action'] == "Delete") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("DeleteRecord.php");
        }
        else
        {
            do something
        }
    }
    else
    {
        require("index.php"); 
    }
    ?>

I haven't tried to exploit it yet but I think it would work

[ande]

Great tutorial, easy to understand!!!

I've read of another way to prevent this exploit by using in_array and then comparing against $_GET[''].

Example

Code: [Select]

<?php 
$Redirection = array('View','Edit','Delete');

    if(isset($_GET['Action']))
    {
        if(($_GET['Action'] == "View") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("ViewRecord.php");
        }
        elseif(($_GET['Action'] == "Edit") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("EditRecord.php");
        }
        elseif(($_GET['Action'] == "Delete") && (in_array($_GET['Action'], $Redirection, TRUE)))
        {
            require("DeleteRecord.php");
        }
        else
        {
            do something
        }
    }
    else
    {
        require("index.php"); 
    }
    ?>

I haven't tried to exploit it yet but I think it would work

That is not necessary at all, after you have done a if($n == "derp) you dont need to do a in_array() as well.

[dataspy]

Thanks, yep I see how that is redundant

[Stackprotector]

Thanks, yep I see how that is redundant

If you keep the inarray, you can shorten it up like a baws,   just look if the requested page is in the array, if yes include it and show it.

[bio_n3t]

And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
   include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you

[ande]

And if I use this:

<?php
if(file_exists("page/".$_GET["page"].".php"))
{
   include("page/".$_GET["page"].".php");
}
?>

It's dangerous? Thank you

Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.

[Droaxenius]

Thank you ande.
Now i remember how to do RFI and LFI :>


Great tutorial!

[bio_n3t]

Yes. Replace ".$_GET['page']." with ../../../../../../../etc/passwd%00 and you have an LFI.

But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

[ande]

But also if there is a folder before the $_GET["page"]?
So in my example it will become:

include("page/../../../../../../../etc/passwd%00.php");

I am pretty sure, I don't have time to test. But the idea is that ../ will move you backwards in the path until you hit the root directory, then it adds etc/passwd and %00 is the null char so it and everything after it will be discarded.

[bio_n3t]

I have done a simple test on Windows 7 and it doesn't work, may be on Linux works I don't know, or I have done something wrong!
We are waiting for other answers!

[ande]

I have done a simple test on Windows 7 and it doesn't work, may be on Linux works I don't know, or I have done something wrong!
We are waiting for other answers!

The ../ concept is universal, but /etc/passwd is Linux only. You can try ../../../../../../../windows/system32/drivers/etc/hosts

[bio_n3t]

Yes I knew that etc/password is only for Linux, I have done a test with a file in the root and now I retry with  ../../../../../../../windows/system32/drivers/etc/hosts%00
and it always says:

Warning:  include() [function.include]: Failed opening 'include/../../../../../../../windows/system32/drivers/etc/hosts' for inclusion (include_path='.;C:\php\pear') in C:\www\aaa.php on line 3 

[ande]

Yes I knew that etc/password is only for Linux, I have done a test with a file in the root and now I retry with  ../../../../../../../windows/system32/drivers/etc/hosts%00
and it always says:

Warning:  include() [function.include]: Failed opening 'include/../../../../../../../windows/system32/drivers/etc/hosts' for inclusion (include_path='.;C:\php\pear') in C:\www\aaa.php on line 3 

Windows/linux might be different when it comes to path shortcuts when I think about it. Try ..\ instead of ../ etc.

[bio_n3t]

I tried again on Windows using ..\ and it doesn't work.
By the way now I have also tried with a linux server and it doesn't work too

http://www.site.com/index.php?page=../../../../../../../etc/passwd%00
 

[ande]

I tried again on Windows using ..\ and it doesn't work.
By the way now I have also tried with a linux server and it doesn't work too

http://www.site.com/index.php?page=../../../../../../../etc/passwd%00
 

This keept anoying me so I did a little bit of poking around. Tried it on this server and on my local machine, so windows and linux. I could include other php files, which is still a pretty serious issue. However, I was not able, like you said, to include entirely custom files like hosts or passwd. Even using the null char trick. Odd thing, I sware that used to work back in the days. Perhaps new php versions or extentions/addons have taken care of it.

On top of that, I want to make it perfectly clear that this does not mean its ok to use such a script.