include()local file inclusion vulnerability Caprice-vulnerability warning-the black bar safety net

ID MYHACK58:62200820563
Type myhack58
Reporter 佚名
Modified 2008-09-29T00:00:00


by Ryat 2008-2-22


> Local file inclusion vulnerability is the PHP of the more Common Vulnerabilities, like the following code:

include('inc/'.$ _GET['a'].'/ global.php');

This is a typical file contains the vulnerability, but you want to include any files while the need to introduce a NULL character truncation the back of'/global.php'but in the gpc is on the case of a null is to be escaped, which often became local file inclusion vulnerability using the bound in some specific cases also other methods can be used to truncate the code behind, see:<> to

In fact, the file contains into the include()and require()the two, first see the manual of these two methods the difference description:

_ These two structures apart from in how to deal with failure than exactly the same. include() produces a warning while require() will cause a fatal error. In other words, if you want to in the face of lost when the file stop processing the page, use require () on. include() is not the case, the script will continue to run _

Manual for the two ways of the difference between said very clearly, and include()this treatment includes failure of treatment is sometimes to us in the use of local file inclusion vulnerability on the offer some other ideas, see the following code piece:

... if (! empty($_COOKIE["userlanguage"]) && file_exists("lang/" . basename($_COOKIE["userlanguage"]) . "/global.php")) $language = $_COOKIE["userlanguage"]; ... the include_once("lang/$language/index.php"); ... $template = preg_replace("/\{lang\s+(.+?)\}/ ies", "languagevar('\\1')", $template); ... fwrite($fp, $template); ... function languagevar($var) { if(isset($GLOBALS['lang'][$var])) { return $GLOBALS['lang'][$var]; } else { return "!$ var!"; } } ...

Simply put the following code in the processing flow, the program according to the viewer selection of the language of the corresponding$lang written into the template cache, when the viewer to access when the direct access template cache. And here you can through$_COOKIE["userlanguage"]trigger local file inclusion exploit, such submission:

../../[file][null char]/eng

Through the basename()returns eng, and/lang/eng/global. php is there, bypass the file_exists()check, the successful triggering of a local file inclusion vulnerability, but here the need for GPC to OFF, because you want to introduce a NULL character is truncated behind the string. Looks like use is difficult, but we can convert the following ideas, where the include_once()correctly contains will contains the language file, the language file which defines the$lang, where is the key, as long as we just submitted$_COOKIE["userlanguage"], so the include_once()is not properly contained, and mentioned earlier include()even if it contains a failure, the script will still be down perform, which does not contain the language file$lang is not initialized, then the register_globals to on or use the extract()case, we can self-submit for$lang, and then through the fwrite()to write the cache file:)

In fact, this idea is to put the include()local file inclusion vulnerability into the other vulnerability, is a typical secondary attack:)