Comments on: Local File Inclusion – Tricks of the Trade

By: The Challenge of Dynamically Generating Static Content | Zoompf

The Challenge of Dynamically Generating Static Content | Zoompf — Thu, 01 Dec 2011 18:13:00 +0000

[...] their raw contents into a response and send it to me!” Jackpot baby! This is what we call a Local File Inclusion vulnerability just waiting to happen. The developer has not so much created a resource combiner as [...]

By: jesse

jesse — Thu, 03 Nov 2011 15:27:30 +0000

When I started building websites 3 years ago I was using php 4 with allow_url_fopen on by default on my windows server 2003. With that said, I have designed and programmed over 100 php websites of which all of them using this php inculde here:
for all my headers and bottom navigations menus.

Since then this PHP include Security risk came about and now they changed that rule “allow_url_fopen” to be off by default to close this risk which would render my original php include line of code useless and only pull a error. However, I have researched and found the following code would work fine Would this fix the exploit? Also, My issue is, I do not want to go over every website created and make the include code change to over a 1000 locations, so im wondering if there are any other fixes? Maybe by adding a rule in the .htaccess?
Maybe something like this: RewriteRule index\.php?(?!id|altid|DataSet1_currentPage).+ /404.php [I,RP,L]

Thanks Jesse

By: Take your and shove it - The HP Security Laboratory Blog -

Take your and shove it - The HP Security Laboratory Blog - — Wed, 04 Nov 2009 15:44:13 +0000

[...] Apache's user) would need to have access to that file but that doesn't exclude a lot of interesting [...]

By: David "secteam" Jacoby

David "secteam" Jacoby — Wed, 10 Jun 2009 10:44:07 +0000

Thanks for a nice article, i wrote something similar a while back.

INTRODUCTION
Imagine that an attacker finds that a website is vulnerable to a PHP remote file include vulnerability. In most cases the attacker would try to execute commands, get a shell and read configuration files which may contain sensitive data. Is this the best way to exploit PHP remote file include vulnerability? Is there an alternative?

Read the entire article here:
http://itbloggen.se/cs/blogs/secteam/archive/2009/01/26/alternative-ways-to-exploit-PHP-remote-file-include-vulnerabilities.aspx

By: Cris Neckar

Cris Neckar — Fri, 25 Jul 2008 17:19:27 +0000

Most HTTP servers support the Range header to facilitate download resumption. The syntax for this header is something like:

Range: bytes=-1024

This would specify that only the last KB of output should be returned from the server. You can use this to skip the bulk of large logs files in order to efficiently exploit local inclusion vulnerabilities.

By: Mike Coles - Bluelip

Mike Coles - Bluelip — Tue, 22 Jul 2008 01:59:00 +0000

It’s been a long time since I’ve used it, but back in the days of DOS, you could insert an EOF character that would cause some programs to stop reading from the file. It’s worth a shot to insert the character and give it a try.

By: Cris Neckar

Cris Neckar — Mon, 21 Jul 2008 23:43:00 +0000

An interesting challenge for anyone who is interested:

In the case of a large log file, I noted that you would have to wait for the beginning of the file to load before you could see your command output. The challenge is to come up with code to include which will prevent the contents of the log aside from command output from being displayed back to the user (and thereby bypass the time penalty).

Post your ideas here.