The Insecurity of PHP Includes
by jumbobrian (jumbobrian@yahoo.com)
PHP is a powerful scripting language open used on the web today. Like
many other programming languages, it uses something called "includes" to save
people the time of retyping functions and variables and whatnot. One common
usage for an include file is to open a connection to a database. This is what
we are going to be exploring in this article.
First off, I'm going to assume that you have a webserver running PHP
already configured. You shouldn't need any other programming knowledge. Next,
we're going to run a simple Google search. The great thing about Google is
that it allows you to search for phrases and not just individual works by
quoting the phrase (as in "The Hacker Quarterly"). Enter this as the search
query: "Index of" ".php.inc". Be sure to include quotes. Now let me explain
there search.
"Index of" is a phrase commonly used by web servers when displaying a
list of files on the server.
".php.inc" is the extension to a file we're looking for.
Remember how we're trying to find a database connection? Well, to do this,
look through some of the search results and the list of files you get.
Although an .php.inc or .inc file is find, look for such obvious names like
"database.php.inc" or "db.inc". Now open the file you found. After you do
this, one of three things is likely to happen. Number one, the file will open
and a text file will be displayed to you. Number two, you may get an empty
page. Number three, the server will say you don't have access to the file.
If you got the blank page, PHP on that server is configured to execute
PHP scripts even on .inc files. Try another server. If a message came up
saying you don't have access to the file, try another server.
If a text file loaded, congratulations. Now we're going to be looking for
some keywords. Do a search on the text file, looking for the words
"mysql_connect" and "mysql_pconnect". These are functions used in PHP, and if
you find any of them on the page, chances are you have the username and password
for the mysql server. The format should be:
mysql_connect("server", "username", "password");
If you don't see a username, but rather something like "$DB_Username", look for
the variable $DB_Username on the page and see what it is equal to. Copy down
the server, username, and password.
Now here's the fun part. Make a .php file that connects to the server and
displays a list of the individual databases on the server:
<?php
$dblink = mysql_connect("server", "username", "password");
$db_list = mysql_list_dbs($dblink);
while ($row = mysql_fetch_object($db_list)) {
echo $row->Database . "\n";
}
?>
Upload this file to your server, run it, and see what happens. If you get
a list of databases, it worked. If you get an error about not having permission
to access the server, look back in the includes for another username/pass or
try another server.
Now that you have a list of databases, keep messing around with PHP. Look
on php.net for help on with these functions:
mysql_list_tables
mysql_select_db
mysql_query
or any other MyQSL functions you dare to try. Also, if you happen to notice
that the server uses MS-SQL or any other database, search php.net for help with
those functions.
Finally, please check you own server so that someone doesn't do this to
you. The simplest way is to change the file extensions to ".inc.php."
This way, the script is always going to execute as PHP. PHP is a powerful
language but it still requires some common sense in making it secure.
Shoutouts to: methodic, whose article in 20:3 inspired me to write this one.
And mike, for all the PHP help over the years.
Return to $2600 Index