phpsecurityincludecode-injectioninclusion

Trying to understand Local File Inclusion of php command: include 'sql.php?/../../etc/passwd'


I was looking into a phpMyAdmin security vulnerability (CVE-2018–12613) and the best write-up of it doesn't explain a very crucial technical detail.

It just says: "index.php runs include 'sql.php?/../../etc/passwd', and PHP has this magic to convert the path to ../etc/passwd, without checking if the directory sql.php? exists or not. "

Can anyone help me understand this? https://medium.com/@happyholic1203/phpmyadmin-4-8-0-4-8-1-remote-code-execution-257bcc146f8e

The php manual has some info about this, for example John Carty wrote how you can inject some code using your own website, but that doesn't explain my case. https://www.php.net/manual/en/function.include.php

When i wrote the following line into my own apache2 laravel php server:

include('../../../etc/passwd');

Then I got the contents of etc/passwd on my page, but writing

include('sql.php?../../../etc/passwd');

or

include('index.php?../../../etc/passwd');

do nothing. What am I missing?

The result be that the include command:

include 'sql.php?/../../etc/passwd'

only includes '../../../etc/passwd'


Solution

  • include('sql.php?/../../../../etc/passwd');
    

    worked! I needed an extra /../ so that sql.php? be considered a directory. The "magic" of the include command is that it allows you to go into nonexistant directories and then come out of them.