PHP Include security with String Before Variable

Question

Lets say example.com has a front end with this HTML:

<form action='this.php' method='post'>
<input type='hidden' value='test' name='post'>
<input type='submit' value='Test'>
</form>

and this.php included something along the lines of:

if (isset($_POST['post'])) {
include 'test_' . $_POST['post'] . ".php";
}

With the above setup, how would someone execute a malicious include, or attempt any sort of directory traversal, if the string 'test_' was attached to the beginning of it?

if they entered /../../, include would read it as 'test_/../../', and fail, if they used a url, include would get 'test_http://evil.com/badcode.php' and fail again.

How would someone get around the proceeding string to execute remote includes, or change its directory?

Sidenote: I do know how to sterilize strings, and other security steps to completely avoid this. This is simply out of curiosity, and from what I know now, I don't think it would be possible.

Answer 1

if they entered /../../, include would read it as 'test_/../../', and fail […]

This is actually only true for Unix-based systems but works on Windows as it does the path resolution only on the given path and not on the actual file system structure. Windows doesn’t care whether one of the unresolved path segments exists as long as the resolved path exists.

Furthermore, up to certain PHP versions, not all file system functions where binary-safe and a null byte could end the string and remaining bytes were omitted.

So concluding, depending on the operating system and the PHP version, your script may be exploited to include arbitrary files using the following pattern:

post=/../../../../windows/win.ini%00

Answer 2

File streams are typically abused in one of two ways. LFI, and RFI (Local file inclusion / Remote file inclusion respectively) or generally MFI (Malicious file inclusion). Often it's used to pipe local files such as /etc/passwd or log files.

RFI is much more dangerous, this is a possiblity if allow_url_fopen is on This allows a hacker to include a remote file into your environment. In the above example, it is combined with null byte injection in order to disregard the concatenation.

There is many methods of manipulating the string to do various things, for example including php://input or php://filter

Answer 3

This is not really a good practice and always remember , Never trust user input !

Keeping that in mind, you should never pass a user-input to an include language construct.

From your code, it is somewhat clear that directory traversals leads to 404. However, there maybe some smart wicked geeks out there to bypass and perform a RFI attack.

So a better advice is.. Don't send user input directly to an include() construct.