PHP Arbitrary File Inclusion

Question

Suppose we have a script.php which loads files based on a GET parameter (Say load) on Windows.

script.php:

<?php include 'D:\\mydir\\' . $_GET['load'] . '.php'; ?>

The script doesn't check for valid input, so an attacker could easily change the parameter to be any file: http://address/script.php?load=mymaliciousinput.ext%00

Suppose also that Windows is installed on drive C, while our webserver is installed on drive D. What are the possible vulnerabilities? Is it possible to include a malicious file from another server/website?

if `$_GET['load']` is `"..\\Windows\\system32\\drivers\\etc\\hosts\x00"`, what would you expect your `include` to do? — Mark Baker, Jan 14 '15 at 11:50
@MarkBaker I'd expect it to issue an inclusion error because file could not be found. Mind the drive letter — BitParser, Jan 14 '15 at 11:51
OK, irrespective of drive letter, the principle is still there; of course it's arbitrary file inclusion and that can be extremely dangerous for revealing all manner of files.... unless you control what can be accessed, don't assume that joe malicious won't skip across to your drive C:\ — Mark Baker, Jan 14 '15 at 11:59
Yeah I do get that. Of course you could get the Apache configuration (httpd.conf) and such. — BitParser, Jan 14 '15 at 12:02
I wonder what will happen if your script serves a domain for example "example.com" and the attacker set the value of load to "script.php?load=http://example.com?load=scipt". Will that cause multiple inclusion in your case? — Samuil Banti, Jan 14 '15 at 12:03
Or just set `$_GET['load']` to `script` (assuming that this `script.php` file is in `D:\mydir` and see what affect it has on your system.... recursive includes — Mark Baker, Jan 14 '15 at 12:05
The drive letter is not a barrier to anything. The files can be accessed on Windows using the [UNC notation](http://en.wikipedia.org/wiki/Path_(computing)#Uniform_Naming_Convention) since a long time ago (I think it is older that PHP). I cannot tell now if prefixing an UNC path with enough pieces of `..\\ ` will do it but I'm sure a hacker will find a way to access any file they want on your computer if you don't check and restrict the files you include. — axiac, Jan 14 '15 at 12:18
Now, of course, it's a big NO NO. I was more interested on the practical side, just as a Proof-of-concept (especially exploring the other drive) — BitParser, Jan 14 '15 at 12:29

score 1 · Accepted Answer · edited May 23 '17 at 12:27

Is it possible to include a malicious file from another server/website?

Long story short: Yes. It may be possible but it also depends on your PHP version and server configuration.

What are the possible vulnerabilities?

Situation described below is typical file injection vulnerability and in this situation, without filtering request data, you are vulnerable both for Local File Injection (LFI) and Remote File Injection (RFI).

It's also good to remember that:

include or require will load and execute any good code in php wheter it is in php file or not. Look here for example of jpg image carring php code (and this file is even rocognized as image/jpg by mimetype!).
include or require will also open plain text files, like your etc/hosts without errors if you are working on default Apache/PHP settings.
With GET varialbe like yours, in Windows, end user can just use variable with "..\" path. So it is possible to check all dirs loosely.
Here you can check how you can include remote files. Based on answers there you can easily reconfigure your server/php stack and test vulnerability.

EDIT:

as for point 3, do you know of any example how you can jump to the other drive?

In your example, for Apache2 or Nginx with PHP5 default configuration I was not able to found way to jump to another drive. Putting backspaces (%08), escape codes etc. are not removing previously added disk letter.

So for include 'D:\\mydir\\' . $_GET['load'] . '.php'; you must stay in the same drive. Of course for include $_GET['load'] . '.php'; you will be able to chose whatever url/drive you like.

as for point 3, do you know of any example how you can jump to the other drive? — BitParser, Jan 14 '15 at 12:33

score 1 · Answer 2 · answered Jan 14 '15 at 21:53

I'm not aware of anything you can append to a Windows path name that is already rooted with a drive identifier to change to another drive.

But it's certainly not something you should be relying on. Apart from obscure Windows path tricks, there may be application-specific vulnerabilities possible from including other project PHP files on the drive, and if there is any other way the user can write files onto the D: drive they can escalate.

For example if the site has an image-upload feature that stores data on the D:-drive, attacker could upload an image containing the string <?php and then include it to execute arbitrary code. Or if anything is logged to files on the drive, attacker could make a request that causes <?php to be written to a log file, and then include the log file.

PHP Arbitrary File Inclusion

2 Answers2

EDIT: