Arbitrary file read and delete vulnerabilities

Others 2021-03-07 14:26:55 views: null

Arbitrary file reading vulnerabilities and hazards

By submitting specially designed input, the attacker can read or write any content in the accessed file system, which can often enable the attacker to obtain sensitive information files from the server. The files normally read are not verified or not checked. Strictly, the user can control this variable to read any file.

Arbitrary file reading vulnerabilities are high-risk vulnerabilities in web security. They can leak source code, database configuration files, etc., causing the website to be extremely insecure.

Common functions for file reading

  1. fopen
  2. file_get_contents
  3. fread
  4. fgets
  5. fgetss
  6. file
  7. fpassthru
  8. parse_ini_file
  9. readfile

Note: The allow_url_fopen option activates the fopen encapsulation protocol in the form of URL so that URL objects such as files can be accessed. The default encapsulation protocol provides access to remote files using ftp and http protocols. Some extension libraries such as zlib may register more encapsulation protocols

Code display

<?php
    $filename = $_GET['file'];
    if(isset($filename)) {
    
    
        readfile($filename);
    }

This uses common readfile function directly read the contents of the file passed in variable corresponding 2.txt built for testing and 1.txt config folder in your local folder
Insert picture description here
sensitive information view the local configuration file ./config/admin.php
Insert picture description here
to another The method of reading the file, here is the method of opening the file and reading the file, and then outputting the content of the file

demon03.php

<?php
    $filename = $_GET['file'];
    if(isset($filename)) {
    
    
//        readfile($filename);
        $fp = fopen($filename,"r") or die("不能读取文件");
        $data = fread($fp,filesize($filename));
        fclose($fp);
        echo $data;
    }

Same effect
Insert picture description here

Arbitrary file deletion vulnerability

The attacker deletes the function from the search, and the file of the normal delete function is not verified or not strict. The attacker controls this operable variable to delete other files in conjunction with directory traversal. Here involves a unlink()function, the function of this function is to delete the corresponding file and file content.

demon04.php

<?php
    header("Content-Type:text/html;charset=utf-8");
    $filename = $_GET['file'];
    if(file_exists($filename)){
    
    
        unlink($filename);
        echo "<script>alert('删除成功')</script>";
    }else{
    
    
        echo "<script>alert('删除失败')</script>";
    }

Insert picture description here
After executing the query, the file was deleted successfully
Insert picture description here
Insert picture description here

Repair plan

  1. Regular judgment strictly judges the format of user input parameters
  2. Check whether the file name entered by the user has "..." directory level characters
  3. Set open_basedir in the php.ini file to limit the scope of file access

Guess you like

Origin blog.csdn.net/weixin_45007073/article/details/113554147
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com