Can there be a way to exploit PHP include_once() when the input is filtered?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












Let's assume there is a code for including other php files from user input. (Yes I know it's a bad choice.)



$input = addslashes($_GET["input"]);

if (strpos($GET, '../') !== false) 
 include_once('/path/to/php/files'.$input);
 else echo('Invalid parameter!');


This code adds slashes to single and double quotes, and then check for ../ in the string, and if it does not, includes the file.



Assuming that the hacker has write functions to other folder, and the hacker needs to access that file with ?input=../../folder/extcode this manner (which he can’t)



Can there be a vulnerabillity here?






php lfi rfi bypassing







share|improve this question























  • Maybe LFI is still possible using base64, or url-encoding...
    – game0ver
    33 mins ago














up vote
3
down vote

favorite












Let's assume there is a code for including other php files from user input. (Yes I know it's a bad choice.)



$input = addslashes($_GET["input"]);

if (strpos($GET, '../') !== false) 
 include_once('/path/to/php/files'.$input);
 else echo('Invalid parameter!');


This code adds slashes to single and double quotes, and then check for ../ in the string, and if it does not, includes the file.



Assuming that the hacker has write functions to other folder, and the hacker needs to access that file with ?input=../../folder/extcode this manner (which he can’t)



Can there be a vulnerabillity here?






php lfi rfi bypassing







share|improve this question























  • Maybe LFI is still possible using base64, or url-encoding...
    – game0ver
    33 mins ago












up vote
3
down vote

favorite









up vote
3
down vote

favorite











Let's assume there is a code for including other php files from user input. (Yes I know it's a bad choice.)



$input = addslashes($_GET["input"]);

if (strpos($GET, '../') !== false) 
 include_once('/path/to/php/files'.$input);
 else echo('Invalid parameter!');


This code adds slashes to single and double quotes, and then check for ../ in the string, and if it does not, includes the file.



Assuming that the hacker has write functions to other folder, and the hacker needs to access that file with ?input=../../folder/extcode this manner (which he can’t)



Can there be a vulnerabillity here?






php lfi rfi bypassing







share|improve this question















Let's assume there is a code for including other php files from user input. (Yes I know it's a bad choice.)



$input = addslashes($_GET["input"]);

if (strpos($GET, '../') !== false) 
 include_once('/path/to/php/files'.$input);
 else echo('Invalid parameter!');


This code adds slashes to single and double quotes, and then check for ../ in the string, and if it does not, includes the file.



Assuming that the hacker has write functions to other folder, and the hacker needs to access that file with ?input=../../folder/extcode this manner (which he can’t)



Can there be a vulnerabillity here?






php lfi rfi bypassing




php lfi rfi bypassing






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 1 hour ago









OscarAkaElvis

4,0412738




4,0412738










asked 1 hour ago









Moonsik Park

41716




41716











  • Maybe LFI is still possible using base64, or url-encoding...
    – game0ver
    33 mins ago
















  • Maybe LFI is still possible using base64, or url-encoding...
    – game0ver
    33 mins ago















Maybe LFI is still possible using base64, or url-encoding...
– game0ver
33 mins ago




Maybe LFI is still possible using base64, or url-encoding...
– game0ver
33 mins ago










1 Answer
1






active

oldest

votes

















up vote
2
down vote













What you are trying to block is a LFI, but this could be still vulnerable to RFI. (Link to both: https://en.wikipedia.org/wiki/File_inclusion_vulnerability).



On RFI the attacker will try to include a remote file using a payload like http://evilsite/evil.php and as you can see it doesn't contain '../' on it. To be protected of this, you should configure on your php.ini the allow_url_include and be sure that it is off. Otherwise you'll be hacked using RFI.



Talking about LFI I'm not sure 100% that this code is safe. Ok you are blocking strings like '../' but maybe the attacker could encode it someway to bypass your protection. Be careful!






share|improve this answer




















  • How would an RFI work on OPs sample code? There's a local path prefix.
    – Arminius
    7 mins ago










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196976%2fcan-there-be-a-way-to-exploit-php-include-once-when-the-input-is-filtered%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













What you are trying to block is a LFI, but this could be still vulnerable to RFI. (Link to both: https://en.wikipedia.org/wiki/File_inclusion_vulnerability).



On RFI the attacker will try to include a remote file using a payload like http://evilsite/evil.php and as you can see it doesn't contain '../' on it. To be protected of this, you should configure on your php.ini the allow_url_include and be sure that it is off. Otherwise you'll be hacked using RFI.



Talking about LFI I'm not sure 100% that this code is safe. Ok you are blocking strings like '../' but maybe the attacker could encode it someway to bypass your protection. Be careful!






share|improve this answer




















  • How would an RFI work on OPs sample code? There's a local path prefix.
    – Arminius
    7 mins ago














up vote
2
down vote













What you are trying to block is a LFI, but this could be still vulnerable to RFI. (Link to both: https://en.wikipedia.org/wiki/File_inclusion_vulnerability).



On RFI the attacker will try to include a remote file using a payload like http://evilsite/evil.php and as you can see it doesn't contain '../' on it. To be protected of this, you should configure on your php.ini the allow_url_include and be sure that it is off. Otherwise you'll be hacked using RFI.



Talking about LFI I'm not sure 100% that this code is safe. Ok you are blocking strings like '../' but maybe the attacker could encode it someway to bypass your protection. Be careful!






share|improve this answer




















  • How would an RFI work on OPs sample code? There's a local path prefix.
    – Arminius
    7 mins ago












up vote
2
down vote










up vote
2
down vote









What you are trying to block is a LFI, but this could be still vulnerable to RFI. (Link to both: https://en.wikipedia.org/wiki/File_inclusion_vulnerability).



On RFI the attacker will try to include a remote file using a payload like http://evilsite/evil.php and as you can see it doesn't contain '../' on it. To be protected of this, you should configure on your php.ini the allow_url_include and be sure that it is off. Otherwise you'll be hacked using RFI.



Talking about LFI I'm not sure 100% that this code is safe. Ok you are blocking strings like '../' but maybe the attacker could encode it someway to bypass your protection. Be careful!






share|improve this answer












What you are trying to block is a LFI, but this could be still vulnerable to RFI. (Link to both: https://en.wikipedia.org/wiki/File_inclusion_vulnerability).



On RFI the attacker will try to include a remote file using a payload like http://evilsite/evil.php and as you can see it doesn't contain '../' on it. To be protected of this, you should configure on your php.ini the allow_url_include and be sure that it is off. Otherwise you'll be hacked using RFI.



Talking about LFI I'm not sure 100% that this code is safe. Ok you are blocking strings like '../' but maybe the attacker could encode it someway to bypass your protection. Be careful!







share|improve this answer












share|improve this answer



share|improve this answer










answered 1 hour ago









OscarAkaElvis

4,0412738




4,0412738











  • How would an RFI work on OPs sample code? There's a local path prefix.
    – Arminius
    7 mins ago
















  • How would an RFI work on OPs sample code? There's a local path prefix.
    – Arminius
    7 mins ago















How would an RFI work on OPs sample code? There's a local path prefix.
– Arminius
7 mins ago




How would an RFI work on OPs sample code? There's a local path prefix.
– Arminius
7 mins ago

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196976%2fcan-there-be-a-way-to-exploit-php-include-once-when-the-input-is-filtered%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

What does second last employer means? [closed]

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
Read more

List of Gilmore Girls characters

Image
The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
Read more