This is a commonly demonstrated attack because it is easy to explain and understand.
The premise is that the victim does something like (oversimplified PHP example):
include( $_GET['file']);
And the attacker can pass a path to a php script on it's server.
My question is have you ever seen some thing like this or similar in real life code? I can't imagine what kind of requirement can cause a programmer to include a file based on user input.
Just a few days ago I wrote this code:
$pathinfo = explode('/', $_SERVER["PATH_INFO"]);
$action = $pathinfo[1];
if (ctype_lower($action) && file_exists(__DIR__ . "/$action.php")) {
require_once __DIR__ . "/$action.php";
} else {
header("HTTP/1.0 404 Not found");
error_out("No such entrypoint");
}
Here I am taking the name of the action provided in the url, and load a module with that name.
You could have the same functionality with this slightly simpler condition:
if (file_exists("$action.php")) {
require_once "$action.php";
}
which would exhibit the mentioned remote execution vulnerability (if allow_url_fopen is enabled), or even allow reading unexpected files (think on $action = "/etc/mysecret\0" scenarios).
(By splitting on '/' above that, it is possible that it would not work, as you would need a protocol which doesn't use a /. The file reading would clearly still be problematic on windows, though.)
system($_GET['whatever'])(even worse then a simple remote file execution vulnerability) and had no problem finding a number of examples of such code in live plugins – Conor Mancone Oct 16 '18 at 20:36