I'm looking at a website that uses a URL parameter to include the current page, like http://host.tld/index.php?page=about
.
If I add anything other than the current page (e.g. http://host.tld/index.php?page=test
) it reflects the parameter, added with a .php
and states that the resource was not found.
Here reflected XSS already works, but I'm trying to include other files.
Now, if I put /etc/passwd
as the parameter, it doesn't find the /etc/passwd.php
file.
I've tried to add %00
, %2500
and \0
to the end of the parameter, none of which works:
%00
throws an error:Warning: file_exists() expects parameter 1 to be a valid path, string given in /var/www/html/index.php on line 69
%2500
reflects the parameter (test) as"test%00.php"
\0
is simply added to the parameter when reflected, liketest\0.php
The .php
is not added on the client-side.
Is there any other way to exploit this to include other system files? The server response states Apache/2.4.10 (Debian).