0x01 What is a file inclusion vulnerability?
When the server uses PHP features (functions) to include any file, because the source of the file to be included is not strictly filtered, it can include a malicious file, and we can construct this malicious file to achieve the purpose of attack.
2
0x02 The root cause of the vulnerability
When introducing files through PHP functions, because the incoming file names are not properly verified, unexpected files (ie malicious files) are manipulated.
3
0x03 Is the file inclusion vulnerability only in PHP?
Obviously not, it's just that file inclusion vulnerabilities are more common in PHP, and file inclusion vulnerabilities are mostly found in PHP Web Application. Almost all scripting languages provide the function of file inclusion, but it is very rare or even non-existent in JSP, ASP, and ASP.NET programs. This is a drawback in language design.
4
0x04 The file contains the type of vulnerability
Local File Inclusion Vulnerability (LFI)
There are malicious files on the website server itself, which are then included and used through local files.
Conditions of use:
(1)allow_url_fopen=On
(2) Users can dynamically control variables
Remote File Inclusion Vulnerability (RFI)
Call malicious files from other websites to open.
Conditions of use:
(1)allow_url_include=On&&allow_url_fopen=On (both options are turned on at the same time)
(2) Users can dynamically control variables
Note 1 : Usually we cannot know allow_url_fopen and allow_url_include in the Web unless there is phpinfo. Usually local inclusion is turned on because it is turned on by default and few people change it. Usually remote includes are turned off, but this is not guaranteed.
Note 2 : Starting from PHP 5.2, allow_url_include defaults to Off, while allow_url_fopen always defaults to On. Usually developers will not open it unless there are special circumstances, so the probability of remote inclusion vulnerabilities is very low, but it does not mean that it does not exist.
5
0x05 Common file inclusion functions (need to be used during white box testing)
PHP:Include()、Require()、Include_once()、Require_once()
ASP:include file()、include virtual()
JSP/Servlet:ava.io.file()、java.io.filereader()
Note 1 : During white-box testing, you can conduct a global search on the code to see if the above functions are used. If the above functions exist, it is determined that there may be a file inclusion vulnerability, and further testing can be carried out.
Note 2 : Usually developers will use the two functions with once less because it will consume more resources to do detection work.
Note 3 : I specifically asked my PHP development colleagues which of the above functions are used the most, and finally got a unified reply: There is no such thing as the most used, it can only be used according to the project scenario.
6
0x06 How to mine file inclusion vulnerabilities
Observe the keywords page, filename, file, path, dir, etc. from the URL. Words/keywords related to files may have file inclusion vulnerabilities. Of course, after reading my article summarizing directory traversal vulnerabilities, you know that the keywords here may be very similar, or even the same. Therefore, the excavation methods are similar.
7
0x07 How to exploit file inclusion vulnerability
(1) PHP pseudo-protocol
• php://input (receives the value from POST)
Conditions of use:
A. allow_url_include=On
B. allow_url_fopen=On
C. PHP version is less than 5.3.0
Use posture:
• php://filter
Conditions of use:
allow_url_fopen=On, allow_url_include is not required
Use posture:
index.php?file=php://filter/read=convert.base64-encode/resource=index.php
By specifying the file at the end, you can read the base64-encrypted file source code. At that time, sensitive files can be read through base64 decoding. (You cannot directly obtain the shell, so the harm is average, but you can read sensitive files. From a certain perspective, the harm is quite great.)
• phar://
Conditions of use:
PHP version is greater than or equal to 5.3.0
Use posture:
Compress 1.txt, which contains one sentence Trojan, into 1.zip, and then specify the absolute path, as follows:
index.php?file=phar://D:phpstudyPHPTutorialWWW.zip.txt //Absolute path
index.php?file=phar://1.zip/1.txt //Here 1.zip is in the same directory as index.php
• zip://
Conditions of use: PHP version is greater than or equal to 5.3.0
Use posture:
index.php?file=zip://D:phpstudyPHPTutorialWWW.zip%231.txt
Note : The method of using the zip pseudo-protocol is roughly the same as phar, but the zip pseudo-protocol cannot use relative paths, otherwise it will fail. And # should be encoded as %23 here.
• data:URL schema
Conditions of use:
A. PHP version is greater than or equal to 5.2
B. allow_url_fopen=On
C. allow_url_include=On
Use posture:
index.php?file=data:text/plain,<?php phpinfo();?>
index.php?file=data:text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b Note : The URL encoding of the plus sign + is %2b. Base64 decoding is used here, which is often used to bypass. Originally I didn't want to write about this point here, because the exploitation conditions are strict. If you can meet these conditions, it is better to directly exploit the remote file inclusion vulnerability. However, this is helpful for bypassing WAF, so I will describe it here.
(2) Contains uploaded files
Conditions of use:
Absolute path and file name of the uploaded file
Note : I can’t mention the use of gestures here. If I wanted to mention it, I could write another article. Sometimes file upload encounters whitelist detection, so our last image horse cannot match the parsing vulnerability. If there happens to be a file containing a vulnerability at this time, then we can use the combination punch to getshell.
Note : The two major points listed above are that the file contains commonly used postures. I will not list other rarely used postures one by one, because this article is also a summary of my own learning. I think it includes session, log, environ, etc. The posture is rarely used, so I won't describe it here, but I have an impression of it. When I use it in the future, I will go back and study it carefully. Otherwise, if I learn it once now, I will forget it if I haven't used it for a long time.
If you want to have a comprehensive understanding, here are some articles summarized by seniors.
https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/
https://www.freebuf.com/articles/web/182280.html
8
0x08 Harm caused by vulnerabilities
\1. Seriously, it can write malicious files to getshell
\2. Sensitive information leakage caused by arbitrary reading of files
Note: The damage of this vulnerability itself is limited, but if it is combined with file upload, the damage will be huge.
9
0x09 How to prevent this vulnerability
\1. Strict permission management on files;
\2. Filter dangerous characters, such as.../, ~/, etc.;
\3. Through the whitelist policy, only the specified files are allowed to be included and run. (I think this method is the most appropriate) as follows:
This string of code is hard-coded. When the variable file is not equal to include.php, an error message will be output and the file has not been found. In my opinion, this method can basically prevent the occurrence of this vulnerability. Of course, it cannot be ruled out that I am not good enough to find a method.
Know
knowledge
repair
Charge
The difference between phar:// and zip://:
phar://
You can search for files in the specified compressed package, and you can pass absolute paths or relative paths.
zip://
The usage is similar to phar, but there are two points to note: only the absolute path can be passed in, # must be used to separate the compressed package and the contents of the compressed package, and # must be url encoded %23.
**PS:** The above is my summary after studying and practicing. It is purely my personal opinion. If there are any shortcomings, you are welcome to point them out in the comment area.
Common bypass ideas:
★
Restricted local file inclusion bypass
(suffix specified)
★
1
0x01 %00 truncated
Prerequisites:
PHP < 5.3.4、magic_quotes_gpc=Off
Use posture:
?Path=…/…/…/…/etc/passwd%00
2
0x02 path length truncation
Prerequisite: PHP<5.2.8
Use posture:
?File=flag.txt/./././././././././././././././././././
Note : The maximum value will be reached at 4096 bytes under Linux and 256 bytes under Windows. Just keep repeating ./ .
3
0x03 point number truncation
Prerequisites:
PHP<5.2.8, only applicable to Windows operating system
Use posture:
?File=flag.txt…
The above usage postures are basically invalid after PHP 5.3 version. Is there any way to truncate after version? Here I saw an article by a senior that introduced a pseudo-truncation method to achieve file truncation.
**Note:** The following ideas are taken from
https://www.jianshu.com/p/fb054a6fd851
★
Restricted remote file inclusion bypass
(suffix specified)
★
4
0x04 question mark truncation
Prerequisites:
Unknown, anyone with PHP>5.3 can try it.
Use posture:
?File=http://localhost/phpinfo.txt?
Note : The principle is WebServer? The following content is used as request parameters, and phpinfo.txt is not parsed in WebServer, so question marks are used to achieve pseudo truncation.
5
0x05 # number bypass
Prerequisites:
Unknown, anyone with PHP>5.3 can try it.
Use posture:
?File=http://localhost/phpinfo.txt#
6
0x06 space bypass
Prerequisites:
Unknown, anyone with PHP>5.3 can try it.
Use posture:
?File=http://localhost/phpinfo.txt%20
7
0x07 Bypassing by using pseudo-protocol
Prerequisites: None
Use posture:
?File=
zip://D:phpstudyWWWileincludechybeta.zip%23chybeta
Here you need to compress phpinfo in advance! If you don’t understand, you can read the basics.
**Note:** Pictures and ideas are taken from
https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/
Weird tips for bypassing WAF
There are various ways to circumvent WAF, and I can't tell you a detailed plan here. After all, on the road to circumventing WAF, you usually need to record and observe the filtering rules of WAF. The following are just some of my own experiences.
I believe that all masters will encounter WAF filtering.../, ~/, read, and some special symbols when digging for file inclusion vulnerabilities, such as single quotes, double quotes, # signs, etc. Not only are you encountering file inclusion vulnerabilities, but you are also encountering injection, XSS, RCE, etc. I believe you have encountered them all. Each manufacturer's WAF filtering rules are different, and the specifics still need to be determined through observation.
0x01…/and…bypass
Utilize URL encoding: such as %2e%2e%2f / %2e%2e%5c, …%2f / …%5c, etc.
Utilize secondary encoding: encode again based on one URL encoding
Such as: %252e%252e%252f / %252e%252e%255c
0x02 greedy inclusion
Scene: index.php?img=1.jpg
Prerequisite: unknown
Use posture:
Index.php?=img=php://filter/resource=…/flag.php|jpg
(This usage gesture comes from a CTF title)
0x03 wildcard bypass
The postures for wildcard bypassing are unknown here. I also checked some articles, but I can't summarize any sexy postures. I'll wait and see. If the masters know it, please give me some guidance.
0x04 Base64 encoding bypass
Use posture:
?file=php://filter/convert.base64-encode/resource=index.php
0x05 Use data pseudo protocol to read files
Prerequisite: allow_url_include=On
Use posture:
file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
Knowledge summary
\1. The scenarios where 00 truncation can be used are limited, try to use it according to the situation.
\2. Using PHP pseudo-protocol is better for bypassing WAF.
\3. Most file inclusion vulnerabilities require truncation.
\4. The %00 truncation problem has been fully repaired after PHP 5.3 version.
\5. Using question marks (?) and pound signs (#) in URLs may affect the results of include.
\6. In short, just use %00 truncation if you have nothing to do, hehe.
index.php
0x05 Use data pseudo protocol to read files
Prerequisite: allow_url_include=On
Use posture:
file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
[External link pictures are being transferred...(img-7y2hiles-1678987902046)]
Knowledge summary
\1. The scenarios where 00 truncation can be used are limited, try to use it according to the situation.
\2. Using PHP pseudo-protocol is better for bypassing WAF.
\3. Most file inclusion vulnerabilities require truncation.
\4. The %00 truncation problem has been fully repaired after PHP 5.3 version.
\5. Using question marks (?) and pound signs (#) in URLs may affect the results of include.
\6. In short, just use %00 truncation if you have nothing to do, hehe.
What knowledge do you need to learn to get started with the basics of network security?
Cybersecurity learning route
This is an overview of the learning route outline for network security from basic to advanced. Friends, please remember to click and add it to your collection!
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-v19T846c-1677167179814) (data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)] Edit
Stage One: Basic Introduction
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-sRoDZu4K-1677167179814) (data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)]
Introduction to Cyber Security
Penetration Testing Basics
Network basics
Operating system basics
Web security basics
Database basics
Programming basics
CTF basics
After completing this stage, you can earn an annual salary of 15w+
Stage 2: Technical advancement (at this point you are considered a beginner)
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-il25GFVz-1677167179815) (data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)]
Weak passwords and password blasting
XSS vulnerability
CSRF vulnerability
SSRF vulnerability
XXE vulnerability
SQL injection
Arbitrary file manipulation vulnerability
Business logic vulnerability
The annual salary after studying at this stage is 25w+
Stage three: high-level promotion
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-ITOSD3Gz-1677167179816) (data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)]
Deserialization vulnerability
RCE
Comprehensive shooting range practical project
Intranet penetration
Traffic Analysis
Log analysis
Malicious code analysis
Emergency Response
Practical training
After completing this stage, you can earn an annual salary of 30w+
Phase 4: Blue Team Course
[The external link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-SKCwwld2-1677167179818) (data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==)]
Blue Team Basics
Blue team advanced
This section focuses on the defense of the blue team, the network security engineers who are more easily understood by everyone.
With both offense and defense, the annual salary income can reach 400,000+
Stage 5: Interview Guide & Stage 6: Upgraded Content
You need the network security supporting videos, source codes and more network security related books & interview questions corresponding to the above roadmap.
< img src=“https://hnxx.oss-cn-shanghai.aliyuncs.com/official/1678694737820.png?t=0.6334725112165747” />