File Inclusion ( file containing)
File Inclusion, meaning that the file contains (loopholes), means that when the server is turned allow_url_include option, you can use the url to go through some dynamic characteristic function of php (include (), require () and include_once (), require_once ()) include files, at this time if there is no critical examination of the source file, it will read arbitrary files or execute arbitrary commands. File Inclusion Vulnerabilities divided into local and remote file inclusion vulnerability in file contains the vulnerability, remote file inclusion vulnerability is due to open a php configuration allow_url_fopen option (after the option is turned on, the server allows file contains a remote).
LOW:
View source code:
It can be seen on the server side of the page does not do any filtering parameters with checks.
Server expects the user's operation is click on the following three links, the server that contains the appropriate file, and returns the results. Of particular note is that when the server that contains the file, regardless of whether the file extension is php, will try to perform as a php file, if the file content php indeed, are executed normally and returns the result, if not, it will print intact contents of the file, the file contains vulnerabilities often lead to arbitrary file read and execute arbitrary commands.
Click file1.php
But in reality, malicious attackers are not nice to click on these links, so the page parameter is not controllable.
When the file contains a gxy.php we do not exist
We can see, there was an error, and expose the path of the site gave out
In the url C disk test folder New 1.txt, change dvwa interface
To successfully read
Medium
You can see, Medium-level code increases the str_replace function, the parameters of the page for a certain amount of processing, the "http: //", "https: //", "../", ".. \" is replaced null character is deleted.
You can write to bypass the double substitution rules
例如page=hthttp://tp://192.168.27.156 /1.txt时,str_replace函数会将http://删除,于是page=http:// 192.168.27.156 /1.txt ,成功执行远程命令。
同时,因为替换的只是“../”、“..\”,所以对采用绝对路径的方式包含文件是不会受到任何限制的。
192.168.27.156/dvwa/vulnerabilities/fi/?page=hthttp://tp://192.168.27.156/shell.php
我这儿是没有shell.php
High
可以看到,High级别的代码使用了fnmatch函数检查page参数,要求page参数的开头必须是file,服务器才会去包含相应的文件
可以利用file协议绕过防护策略
192.168.27.156/dvwa/vulnerabilities/fi/?page=file:///C:/phpStudy/PHPTutorial/WWW/dvwa/php.ini
成功读取了服务器的配置文件
至于执行任意命令,需要配合文件上传漏洞利用。首先需要上传一个内容为php的文件,然后再利用file协议去包含上传文件(需要知道上传文件的绝对路径),从而实现任意命令执行。