You can
insert the content of one PHP file into another PHP file before the server
executes it, with the include () function. The function can be used to create
functions, headers, footers or element that will be reused on multiple pages.
This will
help developers to make it easy to change the layout of complete website with
minimal effort.
If there is
any change required then instead of changing thousands of files just change
included file.
Assume we have a standard footer file
called "footer.php", that
looks like this
echo
"Copyright © 2010-" . date("Y") . "
hackingartices.in
";
";
?>
To include the footer file in a page,
use the include statement
Welcome to Hacking Articles
Some
text.
Some
more text.
Example 2
Assume we have a file called "vars.php", with some variables
defined:
$color='red';
$car='BMW';
?>
Welcome to my home page!
echo
"I have a $color $car.";
?>
Output: I have red BMW
PHP Require Function
The require
statement is also used to include a file into the PHP code.
However, there is one big difference between
include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to
execute:
Example 3
Welcome to my home page!
include 'noFileExists.php';
echo "I have a $color $car.";
?>
Output: I have a
If we do the same example using the require statement, the echo statement will not be executed because the
script execution dies after the require statement returned a fatal error:
Welcome to my home page!
require 'noFileExists.php';
echo "I have a $color $car.";
?>
No output result
PHP Required_once Function
Require_once() using this function we can access the data
of another page once when you may need to include the called file more than
once, It works the same way. The only difference between require and
require_once is that If it is found that the file has already been included,
calling script is going to ignore further inclusions.
Example 4
echo.php
echo "Hello";
?>
test.php
require('echo.php');
require_once('echo.php');
?>
outputs: "Hello"
echo "Hello";
?>
test.php
require('echo.php');
require_once('echo.php');
?>
outputs: "Hello"
Note
allow_url_include
is disabled by default. If allow_url_fopen is disabled, allow_url_include is
also disabled
You can enable allow_url_include from
php.ini
/etc/php7/apache2/php.ini
allow_url_include
= On
File Inclusion Attacks
It is an
attack that allows an attacker to include a file on the web server through a
php script. This vulnerability arises when a web application lets the client to
submit input into files or upload files to the server.
This can lead
following attacks:
·
Code execution on the web
server
·
Cross Site Scripting Attacks
(XSS)
·
Denial of service (DOS)
·
Data Manipulation Attacks
Two Types:
Local File Inclusion
Remote File Inclusion
Local File Inclusion (LFI)
Local file inclusion vulnerability occur
when a file to which to PHP account has accessed is passed as a parameter to
the PHP function “include”, or “require_once”
This
vulnerability occurs, for example, when a page receives, as inputs the path to
the file that has to be included and
this input is not properly sanitized, allowing directory traversal characters
(such as dot-dot-slash) to be injected.
Example – Local File Inclusion
http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php
http://192.168.1.8/dvwa/vulnerabilities/fi/?page=/etc/passwd
Read complete local file inclusion
attack tutorial from here
Remote File Inclusion (RFI)
Remote File
Inclusion occurs when the URI of a file located on a different server is passed
to as a parameter to the PHP function “include”, “include_once” , “require” ,
or “require_once” . PHP incorporates the content into the pages. If the content
happens to be PHP source code, PHP executes the file.
PHP Remote
File inclusion allows and attacker to embed his/her own PHP code inside a vulnerable
PHP script , which may lead to disastrous results such as allowing the
attacker to execute remote commands on the web server, deface parts of the web
or even steal confidential information.
http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php
http://
192.168.1.8/dvwa/vulnerabilities/fi/?page=http://google.com
Read complete remote file inclusion
attack tutorial from here
Mitigation
·
Strong Input Validation
·
A whitelist of acceptable
inputs
·
Reject any inputs that does not
strictly conform to specifications
·
For filenames, use stringent
whitelists that limits the character set to be used
·
Exclude directory separators
such as “/”
·
Use a whitelist of allowable
file extensions
·
Environment hardening
·
Develop and run your code in
the most recent versions of PHP available
·
Configure your PHP applications
so that it does not use register_globals
·
Set allow_url_fopen to false,
which limits the ability to include files from remote locations
·
Run your code using the lowest privileges
·
Use a vetted library or
framework that does not allow this weakness.
Source: https://www.w3schools.com/
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.acunetix.com
0 comments:
Post a Comment