The Insecurity of PHP Includes by jumbobrian (jumbobrian@yahoo.com) PHP is a powerful scripting language open used on the web today. Like many other programming languages, it uses something called "includes" to save people the time of retyping functions and variables and whatnot. One common usage for an include file is to open a connection to a database. This is what we are going to be exploring in this article. First off, I'm going to assume that you have a webserver running PHP already configured. You shouldn't need any other programming knowledge. Next, we're going to run a simple Google search. The great thing about Google is that it allows you to search for phrases and not just individual works by quoting the phrase (as in "The Hacker Quarterly"). Enter this as the search query: "Index of" ".php.inc". Be sure to include quotes. Now let me explain there search. "Index of" is a phrase commonly used by web servers when displaying a list of files on the server. ".php.inc" is the extension to a file we're looking for. Remember how we're trying to find a database connection? Well, to do this, look through some of the search results and the list of files you get. Although an .php.inc or .inc file is find, look for such obvious names like "database.php.inc" or "db.inc". Now open the file you found. After you do this, one of three things is likely to happen. Number one, the file will open and a text file will be displayed to you. Number two, you may get an empty page. Number three, the server will say you don't have access to the file. If you got the blank page, PHP on that server is configured to execute PHP scripts even on .inc files. Try another server. If a message came up saying you don't have access to the file, try another server. If a text file loaded, congratulations. Now we're going to be looking for some keywords. Do a search on the text file, looking for the words "mysql_connect" and "mysql_pconnect". These are functions used in PHP, and if you find any of them on the page, chances are you have the username and password for the mysql server. The format should be: mysql_connect("server", "username", "password"); If you don't see a username, but rather something like "$DB_Username", look for the variable $DB_Username on the page and see what it is equal to. Copy down the server, username, and password. Now here's the fun part. Make a .php file that connects to the server and displays a list of the individual databases on the server: <?php $dblink = mysql_connect("server", "username", "password"); $db_list = mysql_list_dbs($dblink); while ($row = mysql_fetch_object($db_list)) { echo $row->Database . "\n"; } ?> Upload this file to your server, run it, and see what happens. If you get a list of databases, it worked. If you get an error about not having permission to access the server, look back in the includes for another username/pass or try another server. Now that you have a list of databases, keep messing around with PHP. Look on php.net for help on with these functions: mysql_list_tables mysql_select_db mysql_query or any other MyQSL functions you dare to try. Also, if you happen to notice that the server uses MS-SQL or any other database, search php.net for help with those functions. Finally, please check you own server so that someone doesn't do this to you. The simplest way is to change the file extensions to ".inc.php." This way, the script is always going to execute as PHP. PHP is a powerful language but it still requires some common sense in making it secure. Shoutouts to: methodic, whose article in 20:3 inspired me to write this one. And mike, for all the PHP help over the years.
Return to $2600 Index