table of Contents
First, the basic concept
- File contains
the same functions written to a separate file called directly required - File Inclusion Vulnerabilities
file will be included in the set to a variable, leading to a malicious client can call a malicious file - related functions
- include()
- include_once()
- require()
- require_once ()
the include () If the file is not found, reported only warning; require () error stop
once the value contains a description
will be directly executed when an executable file that contains
Second, the local file that contains
- Implementation included
when included, do not have to include .php files, as long as contains a complete php code, for example a.jpg, content<?php phpinfo();?> - Specific scene
due to the wide variety of file types are included, so when achieved, the focus is to find a controlled document- For example, the ability to upload pictures, go through the complete image file with php code, or the code file to change the suffix
- Pseudo-compressed protocol
Third, the Remote File Inclusion
- Conditions included remote
- allow_url_fopen
- allow_url_include
[http|https|ftp]://www.bbb.com/shell.txt
If the suffix-coded, can be used? Bypassed
for example,www.bbb.com/shell.txt?a.phpPseudo-protocol
- php Archive
- phar://archive.zip/file.txt
- zip: //archive.zip#dir/file.txt (# sometimes need to be replaced 23%)
- Use php stream
- php: // filter element is a wrapper for the application to open the data flow filtration filter. Very useful file functions-in-one, similar readfile (), file () and file_get_contents ()
?file=php://filter/convert.base64-encode/resource=index.php - php: // input
utilization conditions:- 1、allow_url_include=On
- 2, allow_url_fopen not required
- php: // input can not read data processed POST
- php: // filter element is a wrapper for the application to open the data flow filtration filter. Very useful file functions-in-one, similar readfile (), file () and file_get_contents ()
- php Archive
Fourth, the specific scene
Log files
web server will request written to the log file, such as apache. When a user initiates a request, the request is written access.log, when an error occurs writes an error error.log. By default, the log path stored in / var / log / apahce2 /System environment
https://www.youtube.com/watch?v=dlh0ogYy9ys- session
- php file generated by default Session often in the presence of the / tmp directory
- session.upload_progress.enabled this parameter in php.ini enabled by default, if not Off, it will generate a file upload progress during the upload process, it can get to save the file path in phpinfo