. user.ini files form the PHP backdoor

0x00 background
This estimate a lot of classmates looked disdain, think is Rotten street thing:

. htaccess files form the PHP backdoor

Then I'll have a new one:. User.ini. It is more extensive than the. htaccess, whether it is nginx/apache/iis, as long as the fastcgi run PHP can use this method. My nginx server is all fpm/fastcgi, my IIS php5.3 above all use of fastcgi/cgi, I win under the Apache also used fcgi, is very wide, not like. Htaccess has limitations.

0x01. User.ini
So what is. User.ini?

This has to start from php.ini. PHP.ini is the default PHP configuration file, which includes a lot of PHP configuration, these configurations are divided into several: Php_ini_system, Php_ini_perdir, Php_ini_all, Php_ini_user. Here you can view: http://php.net/manual/zh/ini.list.php What is the difference between these modes? Look at the official explanation:


Enter image description here

It is mentioned that the configuration of the schema is Php_ini_user, can be set in the Ini_set () function, the registry settings, and then the. User.ini settings. So here's the. User.ini, what is this configuration file? Then the official documentation here explains:

In addition to the main php.ini, PHP scans the INI file in each directory, starting from the directory where the php file was executed, up to the Web root ($_server[' document_root '). If the PHP file being executed is outside the Web root directory, only that directory is scanned.

Only INI settings with Php_ini_perdir and Php_ini_user modes can be identified in the. User.ini style INI file.

It's clear here that. User.ini is actually a php.ini that can be "customized" by the user, and the settings we can customize are the settings for the "Php_ini_perdir, Php_ini_user" mode. (Php_ini_perdir not mentioned in the table above can also be set in. user.ini)

In fact, patterns other than Php_ini_system (including Php_ini_all) can be set through the. User.ini.

And, unlike PHP.ini,. User.ini is an INI file that can be dynamically loaded. That is to say, I modified the. User.ini, you do not need to restart the server middleware, only need to wait for the time set by User_ini.cache_ttl (default is 300 seconds), can be reloaded.

Then we saw the configuration items in php.ini, but I was frustrated to find that as long as the slightly sensitive configuration items were Php_ini_system (even php.ini only), including Disable_functions, Extension_dir, Enable_dl and so on. However, we can easily construct a "backdoor" with the. user.ini file.

There are two more interesting items in the PHP configuration item (first to fourth one):

Enter image description here

Auto_append_file, Auto_prepend_file, open to see what it means:

Enter image description here

Specifies a file that is automatically included before the file to be executed, similar to the Require () function called before the file. And Auto_append_file is similar, just included in the back of the file. The method of use is straightforward and is written directly in the. User.ini:

Auto_prepend_file=01.gif
01.gif is the file to be included.

So, we can make use of. User.ini makes it easy for all PHP files to "automatically" contain a file, which can be a normal php file or a Webshell that contains a single sentence.

Test it, I tested it on iis6.0+fastcgi+php5.3 and nginx+fpm+php5.3, respectively. The directory has the. User.ini, and the 01.gif containing the Webshell, and the normal PHP file echo.php:

Enter image description here

Enter image description here

Access the echo.php to see the Backdoor:

Enter image description here

Nginx under the same:

Enter image description here

Enter image description here

So, we can be wretched to think about, under what circumstances can we use this posture? For example, a site restriction does not allow uploading. php files, you can upload a. User.ini, and then upload a picture of the horse that contains it for Getshell. However, the premise is that the folder containing the. User.ini must have a normal PHP file, otherwise it cannot be included. For example, you just want to hide a back door, this is the most convenient way.

