Article Note: I did not find this vulnerability. I only tested it. I heard about the vulnerability from a RT by @mubix of @brutelogic.

Update: Changed title to correctly reflect the issue. Not a vulnerability, but a Local File Inclusion to get source code post-exploit. Thanks @mubix!

Confirmed Versions: 5.4.3 and 5.3.2

This morning I saw a tweet by @mubix that was retweeting @brutelogic indicating that there was a file inclusion vulnerability in PHP. Based on the tweet, it looked like it was meant to go inline in the url. For example: http://localhost/test.php?file=php://filter/convert.base64-encode/resource=exploit.php. However, in testing on back|track as well as a production system, I was not able to duplicate the vulnerability.

The way that I did duplicate this vulnerability was by having a local PHP file call the file from which I wanted to dump the source. The first thing I did was to create a sample test.php file with comments, a couple of variables, and a simple echo.

test.php

<?php
#You shouldn’t be able to see these comments
echo “This is the only thing you should see.”;

#You shouldn’t be able to see these variables
$username=’administrator’;
$password=’sup3rs3cr3tpassword!’;
?>

As we would expect, this generates the following.

So far so good. Nothing is running out of the ordinary.

Now we create our exploit.php file and put it in the same directory. Note: I removed the ?file= from the original report.

exploit.php

<?php
readfile(“php://filter/convert.base64-encode/resource=test.php”);
?>

We then get this result:

At the time of this testing, I have confirmed this on PHP 5.3.2 and PHP 5.4.3. I am testing 5.4.7 next.

Share →