On the php local includes-vulnerability warning-the black bar safety net

ID MYHACK58:62201026222
Type myhack58
Reporter 佚名
Modified 2010-02-23T00:00:00


Would have thought it struck gold with a black brother after the Exchange found can only be applied to the Win32 platform, so this BUG might of the storm reduced, the basic not much harm, because in the WIN32 platform using PHP too.

include $_GET[file].”. php”;

Previously we used a%0 0 to cut off, now the PHP version has been largely ineffective. The mining idea is a black brother before mentioned combination of a plurality of environmental conditions that trigger the vulnerability. Operating systemthe file name has a length restriction, if our$_GET[file]exceeds the length limit, then PHP code in the final surface.”. php”will fail, where the truncation with%0 0 the truncation principle should be the same.

Use method: index.php?file=some.txt/////////////////////.... [More than a certain amount of/]

The LINUX platform is currently don't know how to use, woohoo

PS,the resin under the jsp include just need a/you can

win under MaxPath is 2 6 0 Byte

linux seems to also limited, seems to be 5 1 2 of??


In fact before it was mentioned with a certain number of/the breakthroughoperating systemto the file name length limit to truncate the back of the string, see: ahttp://cloie.it580.com/?p=51

Below mentioned can only WIN under utilized, in fact, part of the the Linux host can also be, just/the number to be more of these to make file path name length is greater than 4 0 9 6 bytes, look at the following code piece:


<? php $a="; for($i=0;$i<=4 0 7 1;$i++) { $a .= '/'; } $a = 'test.txt'.$ a; //完整 的 路径 为 /var/www/test/test.txt require_once($a.'. php'); ?>

In the Linux environment under test, you will find'. php'be truncated, 成功的包含了test.txt:)