the-web-application-hackers-handbook

728 Chapter 19 n Finding Vulnerabilities in Source Code
n gzfile
n gzpassthru
n readgzfile
n copy
n rename
n rmdir
n mkdir
n unlink
n file_get_contents
n file_put_contents
n parse_ini_file
The following functions are used to include and evaluate a specified PHP
script. If an attacker can cause the application to evaluate a file he controls, he
can achieve arbitrary command execution on the server.
n include
n include_once
n require
n require_once
n virtual
Note that even if it is not possible to include remote files, command execution
may still be possible if there is a way to upload arbitrary files to a location
on the server.
The PHP configuration option allow_url_fopen can be used to prevent some
file functions from accessing remote files. However, by default this option is
set to 1 (meaning that remote files are allowed), so the protocols listed in Table
19-8 can be used to retrieve a remote file.
Table 19-8: Network Protocols That Can Be Used to Retrieve a Remote File
PROTOCOL
HTTP, HTTPS
FTP
SSH
EXAMPLE
http://wahh-attacker.com/bad.php
ftp://user:password@wahh-attacker.com/bad.php
ssh2.shell://user:pass@wahh-attacker.com:22/
xterm
ssh2.exec://user:pass@wahh-attacker.com:22/cmd