Technique
- • Attacker executes own code on our server
- • Usually by including local or remote file
- • Also by using eval() or exec() on untrusted data
Risks
Defense
- • Better design of files interconnection
- • Nicer URL
- • Validity of filenames and self-inclusion
- • Protection against running without context
- • If impossible, use basename()
- • Turning off allow_url_fopen doesn't help
- • Account on the same machine
- • php://input is not disabled
- • file_exists doesn't help in general
Tasks
- • Create a PHP script doing anything you want with target application
- • Use this script on a page including untrusted files
- • Run included page without context
- • Create a script abusing application "protected" by disabled allow_url_fopen
