|
|
$input = str_replace(['..', '-2F', '%2F', '\\'], '', $_GET['path']); $base = '/var/www/html/'; $user_path = $base . $_GET['file']; $real = realpath($user_path); if ($real === false || strpos($real, $base) !== 0) die('Invalid path');
include($_GET['page']); Use:
Remove .. , ./ , %2F , %5C , and obfuscated variants like -2F : -include-..-2F..-2F..-2F..-2Froot-2F
GET /index.php?page=-include-..-2F GET /*.php?*-include-* GET /*.*-2Froot-2F Tools like grep : $input = str_replace(['
With , if allow_url_include is on and the attacker controls a remote file, they could inject a web shell. How to Defend Against This Payload (For Developers & Sysadmins) 1. Never Trust User Input in File Paths Do not allow user-supplied strings to be passed directly to include() , require() , file_get_contents() , or fopen() . 2. Whitelist Valid Inputs Instead of: How to Defend Against This Payload (For Developers
This article will explain exactly what that payload means, how it works, and — most critically — how to defend against it. Anatomy of a Web Attack: Deconstructing -include-..-2F..-2F..-2F..-2Froot-2F Introduction: What You Are Looking At At first glance, the string -include-..-2F..-2F..-2F..-2Froot-2F looks like gibberish. To a security professional, it is a recognizable pattern of URL encoding and directory traversal mixed with application logic.
| If the attacker appends... | The system might disclose... | |---------------------------|-------------------------------| | -2Fetc-2Fpasswd | /etc/passwd (user list) | | -2Froot-2F.bashrc | Root’s bash configuration | | -2Froot-2F.ssh-2Fid_rsa | Root’s private SSH key (catastrophic) | | -2Fvar-2Flog-2Fapache2-2Faccess.log | Log file (potential for log injection) |
| Â |