I'm testing one of our PHP web applications for security issues.
The system the code is running on runs with at least PHP7.2.
Now I found something like the following in the code (simplified for this question, but boils down to this):
$file = $_GET['file'];
$path = "/some/directory/" . $file;
$path = str_replace(['../', '..'], '', $path);
echo file_get_contents($path);
Is it possible to modify the file parameter in a way that we can escape /some/directory, so that after the str_replace() the file_get_contents()-call looks something like: file_get_contents(/some/directory/../../etc/passwd)?
Edit:
I can't change the order of code execution. I can only define the value of $_GET['file'] with my request.
Furthermore I know how to make this more secure but for my research I intend to break it.
Basically what needs to be done is somehow tricking out the str_replace() into leaving some ../ behind.
I tried for a few hours now, with various approaches, but - luckily for our application - couldn't get it working.
Do you have any ideas?
You can fiddle around with the code here: https://3v4l.org/3ehYA