file inclusion error

Question

file inclusion error

cmq104 opened this issue 4 months ago · 7 comments

Questions here may or may not be answered depending on the state of the question, to increase your chance, read this before asking Asking For Technical Help.

Basically, the more details you give, the more chance of getting an answer. We need at least:

Where did you get DVWA from?
github
What OS are you installing it on?
Ubuntu 18.04.6 LTS
Last five lines from the web server access and error log from the time the error occurred if you got that far.
[-] Tested URL: http://localhost/DVWA/vulnerabilities/fi/?page=../../../../../../../etc/passwd (Not Vulnerable)

Notice: Array to string conversion in /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php on line 77

The error you got when you got stuck.

I write a python script to detect path travelsal vulnerabilities ,and it report Array to string conversion error.

my setup is in following picture

Any previous errors.
no.
What you have tried to do yourself to fix the problem.
at first i use dotdotslash(another github project which can detect path travelsal), and it report Array to string conversion error.
Then i try to put payload in url, and it works.

then i wrote a python script using chatgpt, trying to found if its dotdotslash's problem， but it shows the same error,

Support will only be given for users running the latest pull of code from GitHub. Not a tagged release, not a pre-installed app, not a ZIP you got from a mate.

Answer 1 · 2024-05-17T07:43:41.000Z

It looks like you aren't running the latest version of DVWA

This is line 77 along with context and that line is not going to throw the error you are seeing.

 70 
 71     session_set_cookie_params([
 72         'lifetime' => $maxlifetime,
 73         'path' => '/',
 74         'domain' => $domain,
 75         'secure' => $secure,
 76         'httponly' => $httponly,
 77         'samesite' => $samesite
 78     ]);
 79 
 80     session_start();
 81

Get the latest version of the app from this repo and try again.

Answer 2 · 2024-05-17T09:35:00.000Z

I tried two ways to download latest version , one for downloading code zip , one for git clone ,
the following picture shows how i git clone

and then i copy it into apache2 and restart apache2

but it shows the same error

the following picture shows /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php

btw, i don't understand why it can report this error either :(
it seems there is no array to string in line 77

Answer 3 · 2024-05-17T09:41:20.000Z

Let's just check that you are looking at the right file. Edit /var/www/html/DVWA/dvwa/includes/dvwaPage.inc.php and insert three lines of empty comments at the top of the file.
If the report is coming from this file, then the error should move to line 80, if it stays at 77 then something else is going wrong.

Answer 4 · 2024-05-17T09:46:28.000Z

i insert four blank at the top

and it shows in line 81 now

Answer 5 · 2024-05-17T10:24:58.000Z

Got it, I think you might be running a version of PHP earlier than 7.3, can you check.

The definition of session_set_cookie_params changed from taking individual parameters to being able to take an array with named parameters from 7.3:

https://www.php.net/session_set_cookie_params

Version 7.2 reached end of life in 2020 so I'll count this as an unsupported version and ask you to upgrade to a newer version of php.

Answer 6 · 2024-05-17T11:00:25.000Z

I see.
My linux is ubuntu18.04 and apt-get only supply php7.2
i'll upgrade my system to 20.04 and try again
anyway ,thank you very much for your answering

Answer 7 · 2024-05-17T12:35:33.000Z

Problem solved.