0

I have the below two vulnerable PHP code sections in 2 files. I found the sources of these in an anony access FTP backup file home.tar.gz.

So I'm getting the content of /etc/passwd with the null byte terminator %00 on both these section of code. i.e ../../../../../etc/passwd%00

Thanks for the help in advance.

Dusty Boshoff
  • 103
  • 5
  • The main problem here to resolve is to not use user-submitted data in such way that based on submitted value in Cookie "user" the file is included, even if it has "rtps/" and ".txt" added this doesn't change much. The "user" variable should be stored on server side and user should have randomized (256bit) cookie. – Aria Aug 22 '16 at 15:22

1 Answers1

2

The first piece of code directly attempts to include the file conatined in the $doc variable.

<?php include $doc;?>

The second piece of code makes a file_exists() call and depending on the result of this call, attempts to include the file.

file_exists($finc)

file_exists is subject to PHP safe mode restrictions. These provide means to prevent the inclusion of specific files/directories that would otherwise be accessible. As stated in the PHP docs, PHP is not the appropriate place in the stack to enforce such restrictions, but this is a fallback mechanism should appropriate hardening and design/configuration practices not be present at the web server and/or OS level.

With the above in mind, you will be better able to perform LFI in the first code sample.

dotproi
  • 346
  • 1
  • 5