File Inclusion/Local File Inclusion/Local File Disclosure

Using this knowledge, the attacker can then specify a file on the remote host that the PHP server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:

 /local.php?file=../../../../../../../../../../../../../WINDOWS/ntusers.dat

Similarly, on a linux server:

 /local.php?file=../../../../../../../../../../../../../etc/passwd

Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing .php?file=, the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for cross-site scripting attacks.

A null Byte can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null Byte (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.

If the remote host is a UNIX or Linux based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:

 /local.php?file=../../../../../../../../../../../../../etc/passwd

Or using null-bytes:

 /local.php?file=../../../../../../../../../../../../../etc/passwd%00

Because the file is being included, this means that the attacker can see it if it is a text file, or execute any php inside of it.