Conditions of use
1. The session storage location can be obtained
2. Session content is controllable
Recurrence process
1. Set up two web sites, one for file inclusion and one for controlling Session file content
<VirtualHost 192.168.239.134>
DocumentRoot "/www/session"
<Directory "/www/session">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
listen 8000
<VirtualHost 192.168.239.134:8000>
DocumentRoot "/www/include"
<Directory "/www/include">
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
The file contains the content of the file in the root directory. Due to the simple reproduction, include.php does not have any restrictions and filters
File content in the session root directory
2. Use the Session website to control the content of the Session file, upload a sentence of Trojan horse directly here
You can see that the Trojan horse we wrote is passed into the Session file through ctfsGET parameter passing
cat about the Session file
3. Use the file to include the Trojan horse in the Session file
Here we need to know the location where the Session file is stored. We can obtain the information from phpinfo, or guess the default Session storage location to try. I use the default /var/lib/php/session here
Then we also need to know the session file name, the session file name is generally named after sess_session id , and the session id can be obtained through the developer mode
Copy to the filename parameter in the file inclusion, submit
Successfully included the Trojan horse, using Ant Sword getshell
Summarize
First upload the Trojan to the session file through the controllability of the Session content, then get the path of the session file, and finally use the file to include the Trojan