Let's analyze the source code of the Dvwa file containing the vulnerability.
First, the file contains the main page is the D:\AppServ\www\dvwa\vulnerabilities\fi\index.php file, the major code part of the file:
650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/78/4b/wkiom1z59sqav_kxaad_lr_m9nw901.png "width=" 634 "height=" 321 "/>
In this code, you first use the switch statement to assign low.php, medium.php, high.php to the variable $vulnerabilityfile, based on the security level chosen by the user, and then use the Require_ The once function contains the page selected by the user, and finally includes the variable $file with the Include function.
The variable $file is from low.php, medium.php, high.php.
In low.php, get the user through the page parameter of the data, and assign to the variable $file, you can see here the page parameter does not do any filtering processing.
650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/78/4b/wkiom1z59sui4zwzaaa4uu5b83c537.png "width=" 451 "height="/>
In medium.php, the data transmitted by the user is replaced by the Str_replace () function, mainly by replacing the http://And https://with NULL, which is mainly to prevent the remote file from being contained.
650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/78/4b/wkiom1z59svs4fehaabntmnnyru773.png "width=" 457 "height=" 197 "/>
The file we used earlier contains all the local files on the target server, so called local files contain lfi, which can actually contain files on the remote server, such as http://127.0.0.1/dvwa/vulnerabilities/fi/?page= Php://192.168.80.132/info.php, which is called a remote file that contains RFI. It is clear that the RFI is more powerful, but to be able to implement the RFI is to ensure that two parameters in PHP allow_url_fopen and Allow_url_include are turned on, the two parameters are closed by default, so the RFI is mostly not possible to execute. It is said that through the "zlib://" and "ogg://" and other ways to bypass, but I have not found the relevant information, and did not verify that the problem is put aside for the time being.
In summary, medium has no effect on Lfi, so the file containing operations used previously can be executed.
Finally look at the high.php, here with the IF statement to determine whether the user input data is inlude.php, if not the direct error exits, in fact, it is specified only allow to include include.php files. This is one of the safest defensive measures, of course, there may be multiple files in practice that need to be selected by the user, it is only necessary to make a few more judgments. With this design, there is no file inclusion vulnerability.
650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m01/78/49/wkiol1z59t7g8wboaabiuphrk9s868.png "width=" 457 "height=" 214 "/>
The idea of a file containing vulnerability mining, like before, is to search for functions such as include (), include_once (), require (), and require_once (), and to see if the contents of these functions can be controlled by the user and whether a defensive action is taken.
For example, in the following code, the Include_once () function contains the variable $lang, which can be entered by the user without any processing, thus creating a file containment vulnerability.
650) this.width=650; "Style=" background-image:none;padding-left:0px;padding-right:0px;border-top-width:0px; border-bottom-width:0px;border-left-width:0px;padding-top:0px; "title=" image "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/78/4b/wkiom1z59s3aj82baaej0m42iky643.png "width=" 471 "height=" 185 "/>
This article from "a pot of turbid wine" blog, reproduced please contact the author!
DVWA Series 16 file contains vulnerability mining and defense