Local file inclusion to RCE

Question

Here is the code:

<?php
$file=trim($_GET['img_name']);
//echo $file;

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);
    exit;
}
?>

Is there any possibility of RCE? I am a web developer and developing a website for my client.

Your code is vulnerable to LFI attacks if ```openbase_dir``` is not set in ```php.ini```. I am not sure why you think an LFI is related to RCE. You only read local files, this by itself will not lead (directly) to RCE. — Jeroen, Sep 06 '19 at 06:19
When speaking of RCE, do you mean Remote Command Execution or Remote Code Execution. My previous answer was about command execution. — Jeroen, Sep 06 '19 at 06:23
I would recommend scanning this endpoint with a web app scanner like OWASP ZAP. — Saustin, Sep 07 '19 at 01:45

score 2 · Answer 1 · answered Feb 03 '20 at 12:59

Yes, it is possible e.g. using php wrappers.

A simple RCE could be done like this :

https://yoursite.com/?img_name=expect://ls

Note: This will work only if php configuration allow wrappers.

More details here : https://highon.coffee/blog/lfi-cheat-sheet/

Edit: You might need to URL encode the payload :

https://yoursite.com/?img_name=expect%2E%2F%2Fls

score 0 · Answer 2 · answered Sep 06 '19 at 11:03

0

You should check for directory traversal and for file type for the requested file.

Directory traversal:

Use realpath() function

<?php
chdir('/var/www/');
echo realpath('./../../etc/passwd') . PHP_EOL;

echo realpath('/tmp/') . PHP_EOL;
?>

File type

$allowed =  array('gif','png' ,'jpg');
$filename = $_FILES['video_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'Invalid file type requested only images are allowed!';
}

RCE is not in any way possible with only this method.

answered Sep 06 '19 at 11:03

Raimonds Liepiņš

994
5
9

1

One should also check for chatacters in filename. Newline can be a perfectly valid character in filename, but it would cause header injection. – v6ak Oct 06 '19 at 19:51
Note that checking the actual extension on a file is usually worthless, and of questionable value here. The important part is to make sure that only *intended* files are downloaded. Limiting an attacker to downloading image files is useless if, for instance, the application also happens to store pictures of people's tax returns in jpg format. The main goal here is to ensure that a person is downloading only those files that they are authorized to download. Limiting file types (which an extension check doesn't even do) may not help at all in many cases. – Conor Mancone Feb 03 '20 at 14:07

Local file inclusion to RCE

2 Answers2