Imagine a toy PHP application vulnerable to absolute local file inclusion, e.g.
<?php include($_GET['action']);
I tried the following request to exploit it:
POST /?action=php://input HTTP/1.1
Host: XXXXXXXXXXXXXXXXX
Content-Length: 3
foo
This effectively executes include('php://input');
with request body foo
, so I would expect it to print foo
. However, I get the following error
<br />
<b>Warning</b>: include(php://input): failed to open stream: operation failed in <b>XXXXXXXXXXXXXXXXX</b> on line <b>12</b><br />
<br />
<b>Warning</b>: include(): Failed opening 'php://input' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in <b>XXXXXXXXXXXXXXXXXXX</b> on line <b>12</b><br />
What is the issue here? Is this a PHP security feature? If so, can somebody point to the responsible part of the PHP source code that mitigates this?
I found the answer with the help of Gustek. Apparently php://input
falls under the restrction of allow_url_include
, while for example php://filter
does not:
Restricted by allow_url_include: php://input, php://stdin, php://memory and php://temp only.
Source: Docs for php://
URL handler
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With