Permanent*

The vulnerability here does not really depend on the HTTP method used, but to the fact that user supplied input is being passed to the include() function

Php devs stll think get requests are vulnerabilities 😂

uhh... who's going to tell him? You are aware that GET was the only way to upload files back in the day, right? the vulnerability is not in the GET request itself, it's in passing the input to include, if you do the same with POST, then you still get the exact same vulnerability lol. There are still old HTTP servers in production that only implement GET btw... and those servers are safe, because the request itself is not unsafe, what you do with the data you get is where the vulnerability is located.

@@jmsanchez5631 yes but it doesn't happen.. think and let us know if a scenario where this would ever be practically used ?

It doesn't matter if it's GET or POST but this is not even a vulnerability. It's just PHP performing exactly what it was coded to do..

True. But none of the softwares on the web are that serious. So we find these issues here and there once in a while. Plus including a file from GET param is a vulnerability if you weren’t expecting them to including random files. it’s not a vulnerability of php. It’s more of a vulnerability of that particular site.

I took it as more of a proof of concept/CTF practice albeit with multiple factors that had to be just right. I'm certainly not an expert on the matter, but I believe he references multiple times that this was only possible on older versions of PHP anyway?

I found an issue exactly like this in a PHP CMS two months ago on a pentest. HTTP parameter passes through ~5 function calls and then concatenated to a file path with a '.php' concatenated on the end, later in the file with some more prerequisites it is passed to include_once(). It was just a matter of using traversal to reach pearcmd and use this trick for RCE. Yeah ofc you won't find this if they use some more modern PHP framework but you are naive if you think there isn't a lot of legacy PHP code with this type of vuln running in production.

@@Felttipfuzzywuzzyflyguy no, including a file from _GET can be done in any PHP: from php3 to php8, and will still be possible decades from today... I dont know what author of video meant when he talked about older version of PHP...

​@@geogusdvikois6326pearcmd.php is available until PHP 7.3... That's what was said in the video. But you are right. Including raw input into include is possible and wrong in any PHP version.

@hvidstue I thintk the point of the video is not to explain LFI, but rather to show how to escalate from LFI to RCE without log poisoning. Of course including user provided data is a vulnerability, and most web apps nowadays won't do that, but it is still possible to find a page that has LFI and can be exploited using that.

Did you check if pecl is installed? That's all that is required to be vulnerable newer versions don't have it by default but not sure if it would persist through upgrades. And if you use docker, new versions will have it too!

english is not my first language so i dont know how to exactly say it, if it goes wrong sense, im sorry

He showed some "Pay what you can" courses which can give you some free lessons. I can't find it but you might

yup. if it's more than root folder of project, block it.

@byailen I mean, not necessarily in some use cases you can do more than that, like giving access to an external data directory, but ofc only in a controlled manner. Nextcloud is a good example, although I don't know how the handle is showing files to the user, but I know that it always displays the file path in the url. I guess it checks the user permissions from the database

Yes obviously, it's just for the sake of demonstration. Typically a tainted value would pass through many functions to reach a sink like this.

for the sake of ctf players ✌

use parametrised queries for values that you need to pass to the query

They can't because of tons of best practices followed in Symfony components and it's eco system. Most verns are patched on zero day, and they don't allow stupid things like these. Besides, php is usually jailed by basepath so that it only has access to its own directories it's running and also there's blacklisted function list disabling sys, exec and most system funcrions required to exploit it further. The pentestors won't show you that as it's part of their job to review if configs are correct or not and have no security holes. Let alone pimut it behind proxy and then let them try to access shell lol :) P.S. Typos

In Laravel everything is encrypted by default, there's also anti-spam and input cleaner (to prevent SQL injection) by default and CSRF token are mandatory for a form to work under Post request. There's a way more of things to say but in general, the application is "safe" to a certain extend right when starting a project. The #1 source of hacks and stuff are from humans sources not from the code himself. I personally don't let the admins i manage choose their personal password and i force the system to change their password each week or month, at least each year. A teacher told me one day "you gotta understand that by essence you can hack everything because everything is only 0 & 1 BUT depending on the complexity of those 0 & 1 that will need a more robust machinery, more investment and more important, more time". I always try to make things the more difficult for hackers so they give up, the most basic thing when i set up HTTPS on Apache serv is to change the encryption key each day, if possible multiple times each day. Btw for the HTTPS i use Win-Acme, it's a great interface, you set it up in like 2mins in a new machine, this already have auto schedule task built-in, you don't even have to ask for it AND this have a custom plugin feature in C# so you can really do great things, i honestly only install Apache24 (apache lounge) servers, with the right config it's solid af. Also about Laravel, always do the following at the start of a project: - Install IDE Helper - Install PHP Stan + Larastan - Install Laravel Pint I personally have created differents Makefile that i only have to copy into projects, upon them on my Laravel projects i alway have a Makefile that will do all the Laravel feature like clear:view, cache-config, optimize, dump autoload and go on and the ones i've said earlier like Php Stan and stuff just by puting into the console "make all" or if i only want to manage the cache "make all-cache" :) If you want the Make config i use for my Laravel 10 projects i'll be glad to share, only @ me ^^ LAST EDIT: Don't forget the modsecurity of Apache24 it's a must have.

What? That is just to get an LFI primitive to demonstrate the real issue, the pearcmd RCE technique. In reality you would have a legitimate LFI primitive and substitute it with what is demonstrated

@@xB-yg2iw LFI (local file inclusion) by directly using user input? Yeah, no. Thats like demonstrating "the real issue" at breaking into a house with a no locked door, where the "technique" is like "open the door from the inside" or so.

@@CottonInDerTube If you are clueless enough to not see that the LFI primitive used is irrelevant I don't know what else to say to you.

@@CottonInDerTube The thing is that usually people try to escalate from LFI to RCE using web server log poisoning, and he is showcasing a way to get RCE without log poisoning. And LFI via direct user input is still a thing, it's not hard to find websites with that using some dorks for LFI.

No, not even gmail itself has your password in plain text

@@David-pz4cj 😯😯

Bold of you to assume that people keep their php apps up-to-date 😄. I just finished a contract that involved updating php 5 and php 7 apps to php 8. Most organizations just set up Wordpress and never do anything to manage the underlying infrastructure, or even Wordpress itself. In a perfect world, this wouldn't be an issue because everyone would be on current versions of things, but that's not the case.

@@yramagicman675 you never did some penetrations testing in real time right!?

No but the frameworks you use do this for you

@@damiendye6623 lol 😂

nope, too late brother

Lol.🤣🤣🤣 No your not.😂😂😂

tf you talking about ?

y u say dis GUI boy ? @@kiyu3229

@@margarita8442 i am just asking what the fuck you are talking about

Why are you here then? (If you're so great).😒 I don't understand why people say things like that, because it's like? Why are you here, if you're not an (script kiddie)? People like you are l...a...m...E.😎

Everyone is a script kiddy in the beginning. That’s where you start.