Well I look a little about rfi and php security and found this include code in dvwa:
<?php
$file = $_GET['page']; //The page we wish to display
// Only allow include.php
if ( $file != "include.php" ) {
echo "ERROR: File not found!";
echo "$file";
exit;
}
include($file);
?>
Well i dont understand why this code its not secure. I talked with some security peoples and they say this code its not secure and I shouldn't use it. I know that its beter to turn of the include option, but i think this fiter can't be passed.
I try a lot of comman attacks, and non of them pass it. I will be glad to hear your opinions
As I have already said in a comment to your question on Security.SE, my impression of the high level challenges of DWVA that I have seen so far is that they are supposed to be safe. There have been other questions about the exploitability of high level challenges (especially the SQL injection: #1, #2, #3) and the unified opinion tends to non-exploitable.
The high level file inclusion challenge, where your code is taken from, is likewise:
include only gets reached if the condition $file != "include.php" is not fulfilled as otherwise exit will terminate the runtime. Since $file’s value is taken from $_GET['page'], it is a string (e. g., ?page=foo), an array (e. g., ?page[foo]=bar), or null (e. g., only ?page or missing entirely).
Now let’s see what happens when comparing these types with a string:
null is only equivalent an empty stringSo the only way to get past this if is ?page=include.php as otherwise the include would not be reached due to the positive if condition.
This is very safe except you are echoing the file without htmlentities() thus there is an XSS flaw.
POC : mywebsite.com/script_name.php?page=<script>alert('XSS')</script>
Another way to do it is :
<?php
$whitelist = array('include.php','some_other_file.php','another.php');
$file = $_GET['page']; //The page we wish to display
if (!in_array($file, $whitelist)){
header("Location: /");
}
include($file);
?>
Even the "file not found" thing is too much, if someone tries to mess up with your application you must tell him as less as possible.
Personally I would simply redirect to your homepage using php header() function.