PHP Remote File Inclusion

Added: 01/28/2010


PHP scripts support the include and require statements, which cause an outside script to be run within the calling script. The included script can be a local file or, in some configurations, the URL of a remote file.


The PHP script is vulnerable to a remote file inclusion vulnerability. This vulnerability typically arises due to an include or require command where the included file path can be manipulated by a remote user via a specific HTTP input parameter. A remote attacker could execute arbitrary PHP commands on the target by specifying the URL of a PHP script on his or her own server in the input parameter.


Fix the vulnerable code so that included path names cannot be manipulated by the user.

The vulnerability can also be mitigated by setting the following variables in the PHP configuration file:

register_globals = Off
allow_url_include = Off
safe_mode = On



This exploit works against Unix and Linux operating systems.

The exploit requires the register_globals and allow_url_include PHP settings to be on, and the safe_mode PHP setting to be off.

The telnet and mkfifo programs must exist on the target in order for the shell connection to be established.
Back to exploit index