I came across a website where the site was vulnerable to LFI (local file inclusion) however the inclusion was done using a require_once and the script appended a .php extension to the end of the file; furthermore it was not vulnerable to null byte injection which meant that if I did include a file that:
- The file would have to be valid PHP syntax
- I would not be able to see anything contained between <? ?> tags
- Anything I could include would be executed.
- The file would have to end in the PHP extension
I tried to see if I could include remote files by specifying a URL as the parameter, sadly allow_url_include was turned off so that failed. When I specified a valid PHP page it simply returned the normal page as expected.
The solution that allowed me to view the source of any PHP file was to use the function php://filter/convert.base64_encode/resource which has been available since PHP 5.0.0
This forces PHP to base64 encode the file before it is used in the require statement. From this point its a matter of then decoding the base64 string to obtain the source code for the PHP files. Simple yet effective..