With , if allow_url_include is on and the attacker controls a remote file, they could inject a web shell. How to Defend Against This Payload (For Developers & Sysadmins) 1. Never Trust User Input in File Paths Do not allow user-supplied strings to be passed directly to include() , require() , file_get_contents() , or fopen() . 2. Whitelist Valid Inputs Instead of:
GET /index.php?page=-include-..-2F GET /*.php?*-include-* GET /*.*-2Froot-2F Tools like grep :
include($_GET['page']); Use:
$input = str_replace(['..', '-2F', '%2F', '\\'], '', $_GET['path']); $base = '/var/www/html/'; $user_path = $base . $_GET['file']; $real = realpath($user_path); if ($real === false || strpos($real, $base) !== 0) die('Invalid path');
Remove .. , ./ , %2F , %5C , and obfuscated variants like -2F : -include-..-2F..-2F..-2F..-2Froot-2F
This article will explain exactly what that payload means, how it works, and — most critically — how to defend against it. Anatomy of a Web Attack: Deconstructing -include-..-2F..-2F..-2F..-2Froot-2F Introduction: What You Are Looking At At first glance, the string -include-..-2F..-2F..-2F..-2Froot-2F looks like gibberish. To a security professional, it is a recognizable pattern of URL encoding and directory traversal mixed with application logic.
$allowed = ['home', 'about', 'contact']; if (in_array($_GET['page'], $allowed)) include('pages/' . $_GET['page'] . '.php'); With , if allow_url_include is on and the
It is important to address a query like this directly: The string -include-..-2F..-2F..-2F..-2Froot-2F appears to be an , likely attempting to exploit web application file inclusion vulnerabilities.