Foreword:
When file inclusion is introduced through the PHP corresponding function (such as include($-REQUEST[666])), because the incoming file name has not been properly verified, unexpected files are manipulated, which may lead to accidents . file leaks or even malicious code injection.
Files in file inclusions, any type of file will be executed as PHP files.
Only by understanding the loopholes can we master the loopholes. The key is to practice while understanding.
Table of contents
1. Understand how files are included
3. Common files contain vulnerable functions
2. Determine whether there is a file containing
The file contains expressions:
1. Understand how files are included
1. Conditions:
(1) Functions such as include() introduce files that need to be included through dynamic variables (2) Users can control this dynamic variable
2. How files are included
Local files include: Vulnerabilities in reading or executing local files. Local files refer to the file information of the target server. Used in conjunction with file upload, the uploaded Trojan file can be parsed by knowing the file upload path.
Remote file inclusion: If the configuration option of php.ini is allow_url_include is ON, remote files can be loaded, that is, you can jump to other places to load remote files, and you can directly remotely load files in other places to directly execute any command.
3. Common files contain vulnerable functions
(1) If require cannot find the included file, it will generate a fatal error and stop the script from running.
(2) include cannot find the included file 1 and will only generate a warning and the script will continue to execute.
(3) require_once is similar to require. The difference is that the code of the file has already been included and will not be included again.
(4) include_once is similar to include. The difference is that the code of the file has already been included and will not be included again.
2. Determine whether there is a file containing
for example:
Files in DVWA contain page parameters to open the corresponding files , so the page parameters are uncontrollable. You can try to open some private files, which will have the effect of unlimited local file inclusion, so it will also cause the effect of directory traversal.
The file contains expressions:
If it is found that there is a file included, but there is no place to upload the script, then first determine whether the target host is a windows or linux host, and then collect information on the sensitive directory. If it cannot be accessed, it means that there is no access permission (relative paths are based on knowing the absolute path) , to express as
Save the expression as C:/phpstudy/www/dvwa/xxx
The URL is expressed as http://127.0.0.1/dvwa/xxx
The relative path is expressed as ../../../dvwa/xxx
Note: The corresponding file cannot be opened without permission.
Common sensitive directories:
windows
| C:\boot.ini | View system version |
| C:\windows\system32\inetsrv\MetaBase.xml | IIS configuration file |
| C:\windwos\repair\sam | Store the password for the initial installation of the Windows system |
| C:\ProgramFiles\mysql\my.ini | Mysql configuration |
| C:\ProgramFiles\mysql\data\user.MYD | root password |
| C:\windows\php.ini | php configuration information |
linux
| /etc/password | account information |
| /etc/shadow | Account password information |
| /usr/local/app/apache2/conf/httpd.conf | APAche2 configuration file |
| /usr/local/app/apache2/conf/extra/httpd-vhost.conf | Virtual website configuration |
| /usr/local/app/php5/lib/php.ini | PHP related configuration |
| /etc/httpd/conf/httpd.conf | Apache configuration file |
| /etc/my.conf | mysql configuration file |
3. DVWA case practice
LOW
Local file inclusion (LFI)
Case 1:
Cooperate with file upload to obtain the path of the script file, and then connect. First, upload the file to the target server through the file upload function and obtain the uploaded file path.
Include the file path after the page parameter and jump to execution.
Any file you use will be treated as a PHP execution feature, and finally you can use a kitchen knife to connect.
Case 2:
apache log for file inclusion
When you find that a file contains a vulnerability but there is no place to upload the file, you can use the apache log to upload the file. First, construct getshell behind the URL of the web, and change the URL encoding back to the original getsehll code in burpsuite. [The log file path of apache is based on the apache version for reference]
You can see the recorded getshell statement in apache's access.log log or error log, and then access the access.log log through file inclusion, trigger PHP passive, and finally connect with a chopper or other tool.
expand:
File inclusion will read the apache file according to the PHP format, and will also trigger XSS cross-site scripting attacks (perhaps there is more room for operation), but when encountering externally introduced functions (such as <svg /οnlοad=alert(1)>), Then all the content will not be fed back to the front-end page (such as phpinfo), but all the content will be executed according to the php script by default, so you can perform getshell
Remote File Inclusion (RFI)
condition:
If the PHP configuration options allow_url_include and allow_url_fopen are ON, the include/require function can load remote files.
For example, if there is a script file in http://www.baidu.com/dvwa/1.txt , you can remotely access and execute it, or you can open a web service yourself and upload it to a getshell on the server to make the remote file contain vulnerabilities. Execute it, but the conditions for remote file inclusion are more stringent, so not all of them can be used.
The simple verification method is to splice the Baidu address after the parameter, and the jump will prove that there is remote inclusion.
medium level
The principle is the same, just with some added filtering conditions.
You can use double write to bypass, 00 truncation (condition magic_quotes_pgc=OFF php version <5.3.4), path length truncation (condition window OS), which has an impact on remote file inclusion. Local files know the absolute path has no impact, relatively The ../ of the path is blocked and can be bypassed by double-writing .
LFI
RFI
HIGH level
Only the file text transfer protocol is supported to read local files. Remote file execution is not supported. You need to know the absolute path of the file.
php pseudo-protocol
| file:// | Access the local file system, not affected by allow_url_fopen and allow_url_include |
| http:// | Visit http URL |
| ftp:// | Access FTP(s)URLs |
| php:// | Access various input\output streams (1/0 streams) |
| zlib:// | Compressed stream |
| data:// | data |
| glob:// | Find matching file path patterns |