The highlight_file function in PHP is very useful, both for open source platforms and for someone seeking a way into a website. The goal of this article is to give a little advice on how to go about executing this attack without giving script kiddies the ability to troll google defacing websites that are vulerable.

0) Disclaimer:
   Please do not be a complete moron with this information, just because you CAN deface a site does not mean you should. All information in this article I found out by myself so if it looks like an article you read somewhere  else,  I apologize, I do not mean to steal credit for anything.

1) Why the pages are vulnerable
   Quite a few pages that use the highlight_file function take the file input from either a GET or a POST variable, either way it is coming from the user and it should be sanitized just like all other data coming from the user. However, that is a lot more work than a lot of webmasters are willing to put into their pages, so they decide to "lock" it to a directory. Many of them do it like this.

<?php
$file = $_REQUEST['file']; //can be $_GET or $_POST too
$file = "code/$file";
highlight_file($file);
?>


2) Exploiting the code
   How would you go about exploiting the above code? Let's say you had a URL that looked like this.
http://example.com/vuln.php?file=reader
It would probably then display the output of something like http://example.com/code/readable/reader.php
Which could be <?php echo "Hello world!"; ?>
Well what you could do is use LFI (Local File Inclusion) to do something like http://example.com/vuln.php?file=../../index.php

3) What you can do with it
   It all depends on how securely the admin thinks in terms of passwords. You may find the database password which may be the same as a shell password or an FTP password or their email password. You can honestly do just about anything, I found the CEO's SSN using this technique because their database password and their cPanel password were the same, like I said, you can do almost anything with it.

4) How to find a page that is vulnerable.
   Yeah, like I'd come out and say that

Anyway, hope you liked this article and maybe even learned something from it.

thanks
xor