Recently my server got hacked and files were uploaded. Right now I'm trying to locate the weak spots, which brought me to php injection. I use the following code to include files:
if (isset($_GET['page'])) {
$page = $_GET['page'];
include("./php/$page.php");
}
I've tried something like:
http://badsite.com/badcode.php
example.php");include(...BADCODE HERE...);//
"allow_url_fopen=0" is disabled in the server configuration. I think a white list and/or php functions (htmlentities, strip...) to filter special charecters and code by default would make it bulletproof. But still I'm wondering if it is possible to inject bad code anyway as the value of $page is treated as a string?
Is there anything a "user" could enter, that will not end up in php warning "...failed to open stream: No such file or directory..."?
Your code is vulnerable to local file inclusion (LFI). A potential attacker can traverse your file system and include something like:
page=../../uploads/images/1.jpg
The example shows one of the potential exploits for LFI. If you allow image uploads, somebody can upload an image that includes PHP code, and that code will be executed. Other exploits hide PHP code in session files or log files; and include the file through the vulnerability.
In itself the problem is not a big issue, but it can become one when combined with something else. Therefore I would whitelist what pages I allow for $_GET['page'].