Table of contents
1. Introduction of files containing vulnerabilities
1. The principle of files containing vulnerabilities
2. Common file contains functions
3. Classification of files containing vulnerabilities
Local file contains vulnerabilities
Remote File Inclusion Vulnerability
3. The file contains the hazards of vulnerabilities
4. Preventive measures for files containing vulnerabilities
5. File contains vulnerability bypass method
1. Introduction of files containing vulnerabilities
1. The principle of files containing vulnerabilities
In essence, it can be said to be a file call vulnerability
Because the code is in the development process, sometimes the same code will be encountered, and if you don’t want to input it repeatedly, you will write the code in a file separately. The method will cause the client to call other malicious files, and by calling malicious files, a file inclusion vulnerability will be formed.
2. Common file contains functions
- PHP:include() 、include_once()、require()、require_once()
- JSP/Servlet:ava.io.file()、java.io.filereader()
- ASP:include file、include virtual
3. Classification of files containing vulnerabilities
Can be divided into 2 categories
- Local file contains vulnerabilities
- Remote File Inclusion Vulnerability
Local file contains vulnerabilities
Local file inclusion can be understood through meaning, that is, when conditions permit, the so-called condition permits means that security protection is not in place, and adding files to the file path through this condition forms a local file inclusion.
Remote File Inclusion Vulnerability
The cause of the remote file inclusion vulnerability is the same as that of the local file inclusion vulnerability, except that the remote file inclusion vulnerability is executed by using a file in an external server, thus forming a remote file inclusion vulnerability.
3. The file contains the hazards of vulnerabilities
Read configuration files on the WEB server and sensitive files on the WEB server, and if it is linked with the webshell and executes malicious code, it will cause greater harm. Generally speaking, remote files contain vulnerabilities that are more harmful
4. Preventive measures for files containing vulnerabilities
1. Use str_replace and other methods to filter out dangerous characters
2. Configure open_basedir to prevent directory traversal (open_basedir limits the files that php can open to the specified directory tree)
3. The php version is upgraded to prevent %00 from being truncated
4. Rename the uploaded file to prevent it from being read
5. A whitelist can be set for dynamically included files, and non-whitelisted files will not be read.
6. Do a good job in the division of administrator permissions, do a good job in file permission management, and minimize the permissions of allow_url_include and allow_url_fopen
5. File contains vulnerability bypass method
null character bypass
Null character bypass is a vulnerability in PHP versions less than 5.3.4. This vulnerability is used to receive null characters from the path, so that under some requirements, attackers can use this character to bypass access restrictions by placing this character behind the secure file. .
The prerequisite is that the PHP version is required to be less than 5.3.4, and the PHP magic boot is turned offOverlong character bypass
The truncation of super-long characters is to use the limitation of the maximum length of the directory by the operating system. The length of the directory in Windows cannot exceed 256 bytes, and the length of the directory in Linux cannot exceed 4096 bytes. The excess will be discarded.
You can use "./" to fill, of course not only "./" can be filled, but "." can also be used. As for those that can be bypassed, you can try it yourself.